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ABSTRACT 


This thesis addresses the development of a system to 
secure appropriately an organization from some discernible 
threats posed by the presence, power, and applications of 
its computers. It presents a conceptual definitional frame- 
work for an information system (IS) security system. This 
framework consists of the system's objectives environment; 
resources; components (tasks); and management. A generic 
development model is established to construct a security 
system within this framework. The model consists of 
Menning, design, and implementation (installation, testing, 
and management) phases. Conclusions are drawn which present 
the continuing need for such a development process within an 
organization. The development model is considered suffi- 
cient enough to serve as a basis for the performance of 
security system developments within a broad range of 


organizations. 
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Il. INTRODUCTION 


There, are some occasions, though. when the most significant, force in a vear's 
news is not a single individual büt a process. and a widespread recognition bv a 
whole society that this паа is changing the course of all other processes. ‘That 
15 Why, alter weighing the ebb and flow of events around the world, TIME has 
decidéd that 1982 is the year of the computer. It would have been possible to 
single out as Man of the Year one of the engineers or entreprencurs who 
masterminded this technological revolution, but no one person has clearly 
dominated those turbulent évents. More tmportant, such a selection would 
obscure the main point. TIME’s Man of the Year for 1982, the grcatest influence 
for good or evil, is not a man at all. [tis a machine: the computer. [Ref. I:p. 16] 


A. THE COMPUTER 

This thesis was written within the context of how the computer is changing our 
socicty and the potentials for good and evil that result from such changes. Unlike other 
inventions that have been developed, the computer's impact is sometimes hard to 
discern. Except in recent years, with the increasing use of microcomputers, the 
computer has remained hidden behind concrete and glass enclosed walls in buildings of 
varying shapes and sizes. It scemed to remain a mystery to all but a select few. Onc 
only felt its presence in the stacks of paper that would come reaming forward at select 
times. Even now, as the emphasis has shifted toward widely dispersed processing, the 
full force of its power, presencc, and impact remain obscured. 

The essential power of a computer lies in its capabilities to process, sort, store, 
and communicate vast amounts of data at great speed and accuracy. Such power 
reflects the logical dimension of computers rather than their physical dimension. Unlike 
many great inventions of society, like the car, the presence of the computer is more 
logical than physical. As computer technology advanced from the first to the current 
generation, the physical dimension of the computer decreased. This surely resulted from 
advances in software and circuitry. 

It has only been in recent years that the computer’s power and presence have 
begun to permeate our socicty in ever more noticeable forms. Perhaps this “macro” 
permeation could be compared with Richard Nolan’s "micro" or organizational level 
Contagion Stage (Phase I1) of Data Processing Growth. IRC 2:pp. 115-126] Surely, 
computer technologv has been initiated (Stage |). Аз to whether society has imposed 


sufficient controls (Stage 111) over this growth is debatable and bevond the scope of 


this thesis. However, the issue as to whether an organization within society has 
recognized the need for and imposed sufficient controls on the threats to its IS will be 
addressed. 

As the power, presence, and applications of computer technology increase within 
our society, the issue as to whether such growth represents any threats could and 
should be raised. With prior technologies, when such threats were detected and 
assessed as to be material in nature, society responded with various “macro” controls 
such as laws, regulatory bodies, and reporting requirements. At the “micro” level of 
society, organizations have also faced the issue of a multitude of threats imposed by 
technological proliferations. 

This research addresses the development of a system to secure appropriately an 
Organization from some discernible threats posed by the presence, power, and 
applications of its computers. Therefore, more than just the security of its physical 
assets with economic values will be discussed. As will be addressed later, the issues are 
more complex than economic valuations. It 1s intended that the research will provide a 
generic model which could be used by an organization to address complex information 
systems (IS) security issues. The model will provide a useful framework which could be 


expanded, as needed, to meet organizational IS security requirements. 


B. RESEARCH OBJECTIVES 
The following are the thesis research objectives: 


е To place the IS security issue within the broad context of society, organizations, 
and individuals. 


е To provide a conceptual systematic definitional framework for IS security. 


е To provide a generic development, model which could be used to construct an 
organization's security system within the conceptual framework. 


е To establish a basic understanding of the need for IS secunty. 


ә To provide a basis for further research on and enhancements to the points 
discussed in the thesis. 


Four primary research questions will be addressed to accomplish the stated 
research objectives. 


е What is the basic шоа of IS security to society, organizations, and 
individuals? (Chapter I1) 


e What is an IS security system ? (Chapter III) 
е What are the needs for IS security with an organization? (Chapters [V - V) 
° How can an IS security system be developed? (Chapters IV - VI) 


Each of the three research questions will be addressed in the subsequent chapters. 
Chapter II intends to provide background information concerning the present impact 
that the computer is having on our society. Some of the threats and implications posed 
by the impact will be discussed. Chapter III presents the conceptual definitional 
framework of an IS security system using a “systems approach”. Chapters IV to VI 
provide a development model which could be used to construct an organization’s 
security system within that conceptual framework. Finally, Chapter VII presents some 


conclusions concerning the development model and the future of IS security. 
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Il. BACKGROUND 


A tool is but the extension of a man’s hand and a machine is but. a complex tool. 
He that invents a machine augments the power of a man and the well-being of 
mankind. [Henry Ward Beecher] 


Men have become the tools of their tools. [Thoreau, Walden | 


А. THE ISSUE OF IS SECURITY 

The issue of IS security is one that is inextricably tied to the proliferation, diverse 
and wide application, interconnectivity, and significance of computers within our 
society. As a result of these and several other factors, society has become more and 
more dependent on the use of computers. This dependency varies as one discusses the 
multitude of entities that comprise our society. The economic system, for example, 
appears to be substantially more dependent on computer technology than other 
systems. This is understandable when one considers that the first extensive application 
of the technology involved the accounting functions of businesses. 

The extent of IS dependency can vary by whatever environmental sector or entity 
one wishes to discuss. Therefore, it may be useful to provide a means of classifying this 
variation. Such an approach was performed at the organizational level [Ref. 3:pp. 
216-218]. However, it 1s necessary to expand this approach to present a more balanced 
view concerning IS dependency. 

The dependency of IS to any organization of society can be defined in two 
dimensions, two states, and six levels. There are two dimensions in which to express IS 
dependency. First, operational dependency occurs when the entity critically relies on 
IS operational support but is not absolutely dependent on the uninterrupted 
cost-effective functioning of this support to achieve either short-term or long-term 
objectives. Generally, such support involves functional applications (accounting, 
personnel, etc.) and management planning and control (management information 
systems). In other words, an IS does not play critical role toward the achievement of 
the entity's mission. IS applications tend to be internally focused systems and are used 
for cost reduction or quality improvement purposes [Ref. 4]. There are no interfaces 


with suppliers, customers, and clients. 
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Second, strategic dependency exists when an IS plays a critical role in both 
operational support and toward meeting strategic needs. There is the assumption that 
strategic dependency also involves operational dependency. In addition to the internal 
focus of operational support, there is now a more external or environmental emphasis. 
The IS plays a stronger role in the accomplishment of strategic objectives. Suppliers, 
chents, and customers interact with the IS. This is intended to enhance the 
organization's products Or services. 

One means of measuring the dependency of an IS to an organization involves an 
estimation as to the time the IS could be down before essential business functions 
cease. One study found that the average time period in which essential company 
functions will continue following a data center failure ranged from two days for the 
financial industry to 5.6 days for the insurance industry. All industries had an average 
of 4.8 days. [Ref. 5:p. 24] Generally, there are two underlying causes of an 
organization's dependency on its IS. First, the automation of its processes on a large 
scale. Second, the integration of the automated processes. Such causes involve the 
extent to which an organization has automated it operational, management, and 
strategic planning processes and the integration of those processes. Other things being 
equal, the greater the current and anticipated extent of the automation and integration, 
the greater the level of IS dependency. 

At any point in time, an organization can be in two states. First, the current 
state simply indicates the current level of IS dependency. Second, the planned state 
represents the IS applications under development. Applications could be designed to 
meet anticipated operational and/or strategic requirements. 

Finally, IS dependency can be expressed in a multitude of levels. Each level is a 
combination of the two dimensions (operational and strategic) and the two states 
(current and planned). At any given point in time, an organization can be at only one 
of six levels. 

e Level 1. Currently, the organization is strategically and operationally 
dependent. Applications that are under development are expected fo maintain 
this posture. 

e Level 2. Currently, the organization is strategically and operationally dependent 
on, the IS. However, applications under, development are dominated by 
maintenance work and non-strategic applications. 

е Level 3. Currently, the organization is only operationally IS dependent. 
However, applications under development are expected to create operational 
and strategic dependency. 

e Level 4. Currently, the organization is only operationally IS dependent. 


Applications under development are expected to enhance operational 
dependency only. 
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* Level 5. Currently, the organizations is not operationally or strategically 
denendent on its IS. However, applications under development are expected to 
create an operational IS dependency. 

е Level 6. Currently, the organization is not operationally or strategically IS 
dependent. Applications under development are not expected io create either a 
Strategic or operational dependency. 

A full discussion of society's growing dependency on the computer would be 
complex. It is a multidimensional issue which cannot be properly addressed with this 
thesis. However, a limited discussion of how the computer has become infused within 
our society will be presented. For it is only when we have some perception of the 
impacts that computers are having, can we understand their criticalness. When such a 
perception is constructed, then the subject of IS security and its development can be 
discussed. 

The impact of computers on our society can be expressed in four perspectives. 
First, physically there has bcen tremendous proliferation of computers throughout our 
society. Second, the logical perspective addresses the vast amount of data which is 
being processed, stored, and increasingly shared. Third, computer technology is being 
increasingly applied to a wide and diverse range of organizations, processes, 
professions, and functions within society. Finally, the application of computer 
technology has resulted in new threats to human values which have existed on this 
planet for centuries. Such threats lead us to question what we value, why we value 
what we value, how to value, what threatens what we value, and how to protect and 


manage what we value. 


B. THE PHYSICAL PERSPECTIVE 

There has been a physical proliferation of computers throughout our society. The 
proliferation has been such that there are now some 30 million computers in the nation 
[Ref. 6: p. 38]. Certainly a major contributing factor has been the growing popularity of 
microcomputers by government, business, and the general public. Approximately 17 
million are now in U. S. homes and offices (Ref. 7:p. 68]. It is estimated that this 


number could grow to as high as 80 million by the end of the century [Ref. I:p. 16]. 


C. THE LOGICAL PERSPECTIVE 

Author John Naisbitt [Ref. 8:pp. 1-33] concludes that our Industrial Age Society 
has evolved into an Information Society. At the heart of this new socicty is the 
computer. There is a mass-production of information in the same way we used to mass 


produce automobiles. Certainly, the computer is the primary producer, storer, and 
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distributer of the information. However, Mr. Naisbitt makes a critical distinction 
between the two societies. In the computer age, we are dealing with conceptual space 
connected by electronics, rather than by physical space connected by the motorcar. 
The significance of this point can be emphasized by understanding the vast amount of 
data that is being processed, stored, and shared throughout our society. 

The Federal Government, for example, has more than 27,000 mainframe 
computers and more than 100,000 desk top computers [Ref. 9:p. 52]. It accumulates, 
stores, processes, and distributes vast quantities of data on a diverse range of subjects. 
More than 2.5 billion records are maintained in 229 fully computerized files. [Ref. 10:p. 
4| Of those, 43 files contain more than 500,000 records and another 1 billion are stored 
in 310 partially computerized and manual files. These records, combined with the more 
than 600 data banks operated by the states and the more than 1700 data banks 
operated by the cities and counties, provide governments with specific information on 
virtually every citizen [Set ulli oS 

There has been a tremendous growth in the interconnections of computers into 
networks and the availability of commercial on-line databases. An estimated 2,400 
on-line commercial databases are available for public use. [Ref. 7:pp. 68-72] In a 
typical month, merchants will initiate 50 million VISA credit checks to 18,014 member 
banks through a high-speed authorization system then can approve payment in as little 
as one second. Тһе Traveler’s Insurance Corporation spent $300 million in the past 
two years to bring its 30,000 employees and 10,000 independent agents under the 
umbrella of an IBM system network. Currently, the company has 35,000 terminals and 
personal computers (PCs) connected to 18 mainframe computers. Each day 3.7 million 
messages pass through Traveler’s 2 million feet of coaxial and fiber optic cables. [Ref. 
TJ 

The electronic transfer of funds has taken on great significance in our socicty. We 
are increasingly seeing the transfer and storage of funds being accomplished in 
milliseconds via data communications circuits from computer to computer in the form 
of electronic pulses, bistable circuit states, and magnetic domains. [Ref. 12:p. 267] Our 
economy 1s becoming increasingly reliant on Electronic Funds Transfers (EFT) and the 
interconnections of computer systems. Traditionally, funds have been accounted for by 
the accounting system then physically stored in steel and concrete vaults. The transfer 
of these funds was physically accomplished by movement in armored cars, airplanes, 
and railroad cars. Also, funds have taken the physical form of paper checks, securities, 


notes, telegrams, letters, warrants, currency, and precious metals. 
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However, there has been an increasing shift toward electronic storage and 
transfer of funds. For example, a large commercial bank transfers $30 billion each day 
and the U. S. Federal Reserve Wire System turns over an amount of money equal to 
the national debt every four days. The four major fund transfer systems that the nation 
relies on transmit $309 billion per day domestically and $600 billion per day 
internationally. [Ref. 12] 

The national telephone system provides the largest communications network 
[Ref. 5 : pp. 38-39]. It is controlled almost entirely by computer and connects 100 
million homes and businesses through 1 billion circuit miles of wire, cable, microwaves, 
and satellites. Finally, firms like IBM are offering corporations the ability to share 
information and applications worldwide [Ref. 13:p. 2]. 

As indicated, vast quantities of data affecting people are being collected, 
processed, stored, and communicated throughout society. It is essential that this data 
isnt lost or stolen, contain no errors and omissions, and is not originated, stored, 
retrieved, or communicated without proper justification. Therefore, proper security 


must exist to ensure that such discrepancies can be avoided or minimized. 


D. THE APPLICATIONS PERSPECTIVE 

There have been a wide and diverse applications of computer technology 
throughout our society. Such applications are more visible and publicized in the 
business community. However, computer technology has been increasingly applied to 
some significant and critical areas of society. Three such areas will be discussed. 

|. The Political System 

The entities of the nation's political system have been experiencing increased 
applications of computer technology to their tasks. As the dependency levels of these 
entities increase, so will be the need for greater protection over the information system 
that are applied. 

The legislative bodies of our nation have been using various [S to support 
their operations. The Congress uses a system called LEGIS to record, store, and 
provide prompt computer response to inquiries about the current status of all bills and 
resolutions. [Ref. Il:p. 606] The SOPAD system enables members to receive 
up-to-the-minute summary of proceedings and debates taking place on the floors of the 
House and Senate. Also, FAPRS (Federal Assistance Program Retrieval System) helps 


members to determine what federal grants and loans can be used bv their constituents. 


Is 


State legislatures, such as those in New York, Washington, Florida, Pennsylvania, 
Hawaii, and North Carolina, make effective use of computers to index, store, process, 
and retrieve statutory material; draft bills; prepare roll-call vote reports; provide census 
population data for planning purposes; address mailing labels; and provide other 
information and services to legislators and their staffs. 

Computer technology has also been applied to the Judicial System. An 
advanced computer-aided transcription (CAT) technology has been used by courts in 
Chicago, Phoenix, and Detroit. [Refi 14:pp. 1 & 22] It serves to translate testimony in 
real-time and display it on video monitors in courtrooms. Also, this on-line CAT 
system provides attorneys with the ability to search for and retrieve specific portions of 
transcripts and provides fully edited transcripts within minutes after a court session. 

CAT is of great benefit in those instances when witnesses or counsel do not 
articulate well enough to be understood by all parties. The real-time transcription 
enables deaf attorneys and litigants to read testimony they could not hear. The most 
significant advantage for attorneys is the ability to receive daily transcripts on 
computer disks, ready for indexing and cross-referencing on microcomputers. As a 
result, information is quickly accessible and more easily researched using the CAT. 

Additional application to the judicial system may result. There will eventually 
be automated statute and precedent research. Also, telecommunications will enable the 
transmission of trial information to the attorney’s office the instant it has been 
converted to text. This would permit greater time to perform research for subsequent 
court sessions. 

2. Journalism 
Journalists have found the computer an effective tool for discovering 


P 


information which would have ^... remained buried like a treasure crest at the bottom 
of the sea". Computer technology permits archival scanning that once required 
exhaustive card-catalog searches and high-speed analysis of myriad numbers until the 
machine produces a revelatory pattern. Several examples follow. [Ref. 15 :p. 56] 

The computer was used to analyze 30,000 low-interest mortgages issued by a 
mortgage finance corporation. The journalists matched mortgage issue dates with the 
bond issue that financed them. These helped expose a “secret fund” that apparently was 
used to give out loans to politically connected people. Criminal indictments resulted 


from the investigation. 
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One reporter heard that undefended indigents were being jailed for months 
because they could not pay $100-to-$300 fines for offenses like jaywalking. Records of 
899 inmates were fed through a computer. As a result of this analysis, the courts freed 
hundreds of inmates, threw out 20,000 orders for jail commitment and told the county 
to provide attorneys for poor defendents. It was estimated that without the computer 
analysis, the work would have required up to a year of research rather than six weeks. 

In 1979, a newspaper scanned with a computer all 2 million of a county 
government's property-tax assessments to discover inequities. In 1984, another 
newspaper used the computer to examine every state-awarded highway contract in the 
area and all major county sewer contracts over eleven years to discover that five 
favored firms collected 86% of the awards. The application of computers in journalism 
will continue to be significant as more and more public data are processed using 
computers. 

Therefore, the issue of IS security becomes significant for two reasons. First, 
there needs to be a means of determining what is public information and procedures 
established for accessing it. Second, the integrity of stored public information needs to 
be maintained-to ensure that what may be publicly stored and reported is valid. [Ref. 
15] 

3. Monitoring, Control, and Decision Making 

The public and private sectors have been increasingly using computers to 
monitor, control, and decide on a variety of activities. Such activities include such 
areas as weather forecasting, national defense, work performance, medical care, and the 
stock market. Therefore, the protection of the IS designed for such functions 1s 
becoming increasingly important. 

The government and industry have been increasingly using computer 
technology to monitor and control a variety of activities. The Internal Revenue Service 
has applied computers to monitor the returns of individual and corporate taxpayers. 
[Ref. ll:p 607] The reports of interest paid by banks to individuals can be compared 
against income reported by the taxpayer. Also, computers are used to select randomly 
and make preliminary audits of tax returns. 

Environmental control has been another area of application. U. S. 
governmental agencies processing environmental data with the assistance of computers 
include the Air Pollution Control Office and the Water Quality Office of the 


Environmental Protection Agency, the National Center for Health Statistics, the U. S. 
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Geological Survey, and the Department of Agriculture. At the state and local 
governmental levels, computers are being used to evaluate and control the levels of 
pollution. A significant result of the application of computer technology to 
meteorology has been the ability to predict hurricane paths. [Ref. 16: pp. 3 & 5] It is 
now possible for meteorologists to predict fairly accurately the circuitous paths 
hurricanes will follow and thus reduce the potential damage and loss of human life. 

The Department of Defense (DOD) has developed the World Wide Military 
Command and Control System for U. S. military commanders from the President on 
down. [Ref. |l:pp. 277-278] This system links 35 large.computers at 26 command 
posts around the world. The computers at the North American Air Defense Command 
accept, store, and constantly update masses of data from worldwide radar installations. 
The system can also track every humanly produced object in earth orbit. On the 
civilian side, millions of aircraft flights are monitored across the nation each year by 
the computers of the Federal Aviation Administration ’s (FAA) Air Traffic Control 
System. 

Computers are being used to monitor the work performance of the people 
who use them. [Ref. 17:p. 46] It is estimated that 13 million Americans use computer 
terminals in their work, and about one-third of them are being monitored by the 
computer as they work. The computer is programmed not only to process information 
from each employee’s terminal but also to measure, record, and tabulate dozens of 
details about how efficiently the worker is utilizing the system. Airline-reservation 
computers, for example, closely measure how long individual clerks take to handle each 
customer, and the amount of time the employee spends between calls. Any idle time 1s 
recorded, as well as lunch hours, coffee breaks, and even trips to the bathroom. 

Computer technology has made significant contributions to the quality of 
medical care. In some hospitals, for example, patients are able to sit down at a 
computer terminal before meeting a doctor to provide their medical histories and to 
receive information about the hospital. [Ref. 18:pp. 47-48] The computer interviews can 
be done in several foreign languages, as well as English, with a doctor receiving an 
instantaneous translation. Information on some ailments, such as stroke and blood 
disease, has been computerized within the hospital for doctors’ consultation. Currently, 
computers have the capability of detecting and monitoring ocular and cerebral ailments 
such as glaucoma and brain tumors. Some hospitals program computers not only to 


remind the pharmacy department to prepare prescriptions but also to alert nurses to 
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give the proper dosage at the right time. A patient’s medical history can be updated 
with the use of terminals located throughout the hospital. More broadly, computers 
permit the patient to be able to receive a health profile at far less cost than previously 
possible; and by systematizing information about the patient, reduce his or her hospital 
stay and pare both institutional and patient cost. 

Another significant accomplishment in the health care field has been the 
establishment of medical detecting and advising systems. [Ref. 19] Such systems are 
accessible to hospitals located throughout the nation. As patient’s are examined, 
medication orders and test results are entered into the system. The system contains 
data relative to various symptoms and the advised medications. Also, the patient's 
medical history is contained within the system's data. The history includes the patient's 
record of examinations; history of ailments; the doctor’s and nurse’s notes; data from 
monitoring equipment, such as electrocardiograms; and, from laboratory test machines, 
such as an automatic blood analyzer or X-Ray machine. As data is input, the system 
analyzes it and immediately begins asking for more information, suggesting tests, 
offering a diagnosis or reacting to the doctor’s treatment plan by warning of drug 
interaction, patient allergies or other potential problems. In one system, Control Data 
Corporation’s Health Evaluation through Logical Processing (HELP), the doctor 
doesn’t have to take the computer’s advice. However, the reason for this must be 
explained in the patient’s record by the doctor. HELP acts as a flexible checklist for 
doctors. The system is programmed to react to the changing conditions of the patient 
as a disease progresses or as new laboratory tests or other information becomes 
available. 

Finally, computers are playing an increasingly significant role in the buying 
ame sell of stock. First, the New York Stock Exchange uses 13 computers to 
support minute-to-minute floor trading. [Ref. 20:p. 10A ] It is estimated that if three of 
the computers fail, stock trading would cease. Second, large investors are using 
computers to monitor stock prices and to sell or buy automatically when they reach a 
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particular point. [Ref. 2l:pp. 1B - 2B] This ” program selling ” is dominated by a few 
major Wall Street brokerages. Third, the nation’s stock exchanges have applied 
computer technology to enhance their abilities to monitor and control illegal activities 
related to stock trading. [Ref. 22:p. 46] The New York Stock Exchange (NYSE), the 
American Stock Exchange, and the Over-the-Counter NAS-DAQ Systems employ 


comprehensive computer systems to monitor unusual stock trading. In 1985, the NYSE 


instituted an audit trail allowing it to track the buyers and sellers involved in each 


trade. 


Е. THE VALUE PERSPECTA E 

Ultimately, the question of values and the threats to and the limitations on those 
values imposed by the increasing use of computer technology must be addressed. 
Traditionally, such issues tended to focus more strongly upon the physical and 
application perspectives of computers. The security issues involved protecting 
computer systems as assets with economic value. Also, applications should contain 
sufficient controls to prevent malfunction, error, damage, destruction, or fraud which 
could result in the loss of economic and human values. 

However, as previously discussed, the power of the computer systein is no longer 
defined by its size and limited applications. The logical power of a computer in terms 
of processing, storage, and communications has reached a point of dominance. As a 
result, the issues of what we value as a society and the threats to those values take on 
a broader context. 

1. Human Privacy, Freedoms, and Power 

First, human privacy, freedoms, and power are threatened by the increasing 
mass processing, storage, and communication of information. Vast amounts of 
information on individuals are stored in a number of private data banks. [Ref. 23:p. 
104] The data is sold to businesses and individuals for a designated price. Computer 
“blacklists” of consumer information are sometimes used as a basis for denying housing 
and credit to consumers on the list. 

Credit bureaus such as TRW Information Services and Equifax, Inc. have 
long relied on huge data banks of mainframe computers to provide consumer credit 
records for banks, department stores, finance companies, and employers. Each working 
day, TRW’s machines handle an average of 255,000 requests culling information from a 
massive data base that contains detailed records of the bill-paying habits of 133 million 
people. 

Our society established controls in the form of laws. Under the Federal 
Privacy Act of 1974, for example, the Census Bureau, the Internal Revenue Service 
(IRS), and other government departments must notify citizens before releasing 
information about them to another agency. Consumers also have the right to stop 
credit bureaus from dispensing false or misleading data. Tlowever, the regulations 


governing the new private blacklists are murky and contradictory. [Ref. 23] 
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Also, a congressional investigation concluded that advances in technology are 
eroding the Federal Government's ability to ensure privacy of personal information 
stored in government computers [Кеб 24:рр. 1 & 14]. Тће Privacy Act of 1974 was 
developea under certain technical and social conditions. [Ref. 25:p. 60] Batch 
processing was dominant in 1974 and government agencies and large businesses were 
the major users of computers. Also, the telecommunications industry was regulated and 
highly structured. Its development and functioning were mainly separate from 
computer systems. 

The technological changes that have taken place over the last 12 years were 
not provided for in the act. For example, there has been an increase in modem (the 
device used to link a computer with a network) capabilities nationwide. An estimate by 
the U. S. National Security Agency (NSA) indicated that all the modems purchased in 
the U. S. in 1972 could together transmit 600,000 characters per second. However, in 
1984, a sufficient number of modems were purchased to transmit 220 million characters 
per second. With the increase in quantity of transmission has come an increase in 
speed. The Office of Technology Assessment (OTA) estimates that with the increased 
communications capacity made possible by fiber-optics, it is possible to transmit at a 
rate of 100 average-length pages per second. This capability could permit the creation 
of centralized libraries with universal access. [Ref. 25] 

The growth of computer technology challenges the balances of power within 
our society. These balances exist between man and machine as well as between men 
who apply computer technology. The balance of power between man and machines 
essentially involves two issues. First, the extent to which man permits computers to 
monitor and control human and non-human activities such as in work performance 
monitoring. Second, the extent to which man permits computers to actually decide 
critical questions without human intervention. This second issue has great relevance іп 
the areas of health, economics, and national defense. 

When computer technology is applied to various aspects within our society it 
sometimes alters or threatens to alter the existing power balances. The machine can be 
used as an instrument for shifting the balance of power beyond safe limits. For 
example, the governor of the state of New Hampshire reorganized the state's 
computerized financial management system. [Ref. 26:p. 70] He established an integrated 
financial management system which reported state budgetary, revenue, and expenditure 


information. As governor, he freely accessed the system to obtain required information. 
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However, the issue of the availability of the data was raised by the state legislature. 
The governor attempted to retain control over who could access the stored data. This 
was perceived as an attempt to try to shift control from the legislature to the 
governor's office. However, the governor did agree to issue a password to one 
legislative official under certain limitations. Only limited information from the system 
could be accessed bv the legislature. The state's computer contains revenue, 
expenditure, budgetary, and operational information. Such information provides a basis 
for managing the government; assessing its performance; and making decisions in these 
areas. If the legislature's access to such information is narrowly restricted by the 
governor, then it may not be able to properly perform its duties. Such duties include 
assessing the state's financial and operational performances and making sound 
decisions that it is constitutionally empowered to make. At the time of this writing, the 
matter has not been resolved. However, this case illustrates the political implications 
that could result from the application of computer technology in an organization. 
2. Human Vulnerability 

Society 1s becoming increasingly vulnerable to computer system destruction, 
damage, malfunctions, errors, misuse, and fraud. As previously indicated, this results 
from the expanded proliferation, power, and applications of computer technology 
within the society. It is estimated that the overall losses to U. S. businesses from 
computer crime are from $100 million to $3 billion annually [Ref. 27:p. I-1-4]. In the 
public sector, government computer disorders have been estimated to result in annual 
losses of $30 billion to the American taxpayer [Ref. 9]. 

The vulnerability of our society can also be expressed from an operational 
perspective. Computer systems eventually become integrated with the other systems of 
an organization and society. As discussed earlier, this integration could reach a point 
where organizations become dependent to varying degrees on the computer to 
accomplish operational and strategic objectives. As the degree of integration increases, 
the levels of operational and strategic dependency of the organization also increase. 
lherefore, the various systems within our society and organizations become 
increasingly vulnerable to computer destruction, modification, disclosure, and denial of 
Service. 

The scope of this vulnerability could extend from a single individual to the 
entire human race. Certainly one system which has global significance is our national 


security system. Its existence and readiness secures mankind from Armageddon. This 
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system has become increasingly dependent upon computer technology to maintain that 
readiness. A clearer picture can be presented of the vulnerability issue when one 
considers that a study revealed that only 30 out of about 17,000 DOD computers 


surveyed met minimum standards for protection [Ref. 28:p. 39]. 


F. CONCLUSIONS 

It is hoped that this chapter offered some insight into the broad or “macro” 
perspective of computers and the need for some degree of control over them in various 
circumstances. Due to the scope of this thesis, it was not possible to explore the 
presented issues in any greater depth. However, it is within this “macro” perspective 
that an IS security system must be developed to meet threats at both the “macro” and 
“micro” or organizational levels. As society's dcpendency on computer technology has 
increased, it has responded with controls in the form of laws, regulations, and 
regulatory bodies to counter the threats. So too must individual organizations respond 
with controls as its level of dependency and threats rise. An orderly process should be 
followed by organizations to assess its security needs and to select appropriate controls 
to meet those needs. The development of such a process is the subject of this thesis. 


The following chapter will address the definition of an IS and an IS security system. 
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Hr. THE SYSTEMS PERSE EGiiy Е 


The whole is more than the sum of its parts. [Aristotle] 


А. МНАТІЅ А 7 УБИЕ 
1. System Definition 

Generically, a system can be defined as a set of parts coordinated to 
accomplish a set of goals. It is possible to conceive of a hierarchy of systems which 
encompass the entire universe. Man has developed political, economic, technological, 
social, and legal systems to enable him to survive, coexist, and prosper. Within each of 
these systems, other systems (organizations) were formed over time through the 
combination of people, resources (time, currency, energy, materials, equipment, space, 
information, and technology), procedures, structure, and goals. These organizational 
systems are embedded within the universal system. There are five basic considerations 
that one must keep in mind when thinking about the meaning of a system. [Ref. 29:pp. 
29-47] 

First, each system must have total objectives and means to measure the 
performance of the whole system. A distinction needs to be made between a system's 
stated objectives and the real objectives. Some objectives may be publicly stated to 
accommodate grouns and win support. Such a situation could arise to obtain a larger 
budget, win customers, or obtain investment funds. A means of separating real and 
stated objectives 1s to determine whether the system will knowingly sacrifice other goals 
in order to attain the stated objective. Once measures of performance are developed to 
assess the accomplishment of the objectives, a distinction should also be drawn 
between stated and real measures of performance. For example, a student in class often 
comes to think of his or her objective as the attaining of as high a grade as possible. 
The measure of performance becomes the letter grade obtained when the course 1s 
completed. Such a high grade could be achieved at the sacrifice of a real understanding 
of the content of the course. The high grade is sought because he or she believes that 
high grades will lead to scholarships and other opportunities in the future. The 
student's stated purpose is to learn but his or her real measure of performance is the 


grade. 
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Second, the system’s environment needs to be considered. The environment 
lies “outside” the boundaries of the system. Physical boundaries do not define what is 
“inside” and “outside” the system. The environment represents constraints on the 
system. The system can do relatively little about the environment's characteristics or its 
behavior. In effect, the environment is beyond the control of the system but it is also 
something that partly determines how the system performs. For example, if the system 
is Operating in a very cold climate, then the equipment must be designed and protected 
to withstand various kinds of severe temperature changes. An important aspect of the 
environment of the system is the “requirement schedule”. For an industrial firm, this 
consists of the sales demands. These demands could be somewhat influenced by means 
of advertising, pricing, and the like. But to the extent that demand for the 
Organization’s products is determined by individual people outside who are the 
customers of the firm, then the demand lies in the environment of the system. 

Internal resources comprise the third relevant element of a system. Resources 
represent the things the system can change and use to its advantage. Such resources 
include people, currency, energy, materials, space, time, information, technology, and 
equipment. 

Fourth, a system consists of components and their relevant goals, activities, 
and measures of performance. Generally, organizations are divided into departments, 
divisions, offices, and groups of individuals. These represent the structures that will 
perform the components (tasks). They may not represent the real components of the 
system but rather the stated ones. A department or unit may not perform just one task 
such as production. Rather it may perform several tasks. Therefore, there needs to be 
a rational breakdown of the tasks the system must perform. An analysis of the tasks 
will permit an estimate of the worth of an activity for the total system. If a department 
or other organizational subdivisional 1s associated with several larger tasks, it may be 
impossible to distinguish its real contribution. It must be determined if the departments 
and other subdivisions are relevant to the real components of the system. The 
components (tasks) whose measures of performance are truly related to the measures 
of performance of the overall system must be discovered. 

Fifth, system management generates plans for the system - goals, 
environment, resources, and components. [t sets the component goals, allocates the 


resources, and controis the system's performance. [Ref. 29:pp. 29-47] 
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2. System Thinking 
The five elements just discussed must satisfy the following three conditions. 
(Ref. 30:pp. 2-3] 


¢ The behavior of the whole is affected by the behavior of each of the five 
elements. 


э» There is an interdependency between the behavior of the elements and their 
effects on the whole system. 


о Regardless of how the subgroups of the elements are formed, each has an effect 
on the behavior of the whole and none has an independent effect on it. 


Therefore, a system is a whole entity that cannot be divided into independent parts. 
Two of a system's most important properties are derived from this statement: 


e Each part or element of a system has properties that it loses when separated 
from the system. 


е Every system has some properties - its essential ones - that none of the parts 
have alone. 


The essential properties of a system taken as a whole result from the interactions of its 
parts or elements, not actions taken separately. As a result, when a system is taken 
apart (analysis) it loses its essential properties. Due to this critical fact, a system 1s a 
whole that cannot be understood by analysis. [Ref. 30:pp. 2-3] 

Therefore, a method other than just analysis is required for understanding the 
behavior and properties of systems. System thinking involves the reversal of the the 
three-stages of Machine Age thinking : (1) decomposition of that which is to be 
explained, (2) explanation of the behavior or properties of each part separately, and (3) 
aggregating these explanations into an explanation of the whole. Analysis (taking 
things apart) is the critical factor in the process. Synthesis (putting things together) is 
used as a means of putting together behaviors and properties in a meaningful way. 
System thinking views these two means as inseparable. [Ref. 30] 

System thinking is a process involving the following: 

e Identification of a whole of which the thing to be explained is a part. 
e Explanation of the behavior or properties of the whole. 


e Explanation of the behavior or properties of the thing to be explained in terms 
of its role(s) or function(s) within its whole. 


Using this approach, synthesis precedes analysis. 

In analytical thinking, the thing to be explained is regarded as a whole to be 
taken apart. Synthetic thinking regards the thing to be explained as a part of a 
containing whole. In effect, analysis focuses on structure and reveals how things work. 
Synthesis concentrates on function by revealing why things operate as they do. As a 


result, analysis yields knowledge and synthesis yields understanding. 


26 


B. WHAT IS AN INFORMATION SYSTEM (IS) ? 

An IS is conventionally defined as information resources plus all users of the 
information. [Ref. 31:p. 2] Information resources consist of all the physical and logical 
components of the IS such as computers, programs, analysts, programmers, operators, 
managers, data, operating systems, and communications links. The physical, logical. 
and human elements of the IS can be structured in the “system” conceptual framework 
previously discussed. A more comprehensive and structured definition will prove useful 
for formulating and implementing an IS security system. 

1. 15 Objectives 

Information is the basic requirement of IS users. It can be delivered to users 
in physical (hardcopy) and logical (terminal display and voice outputs) forms. 
Generally, users have specifications for receiving the information. These specifications 
involve the information format; timeliness; cost; storage; availability; reliability; 
volume; distribution; and protection. 

The prime objective of the IS is to meet user requirements (demands) for 
information relative to their specifications. The measures of performance for the IS 
involve criteria to assess the effectiveness and efficiency of the IS in satisfying user 
demands. If the IS plays a strategic role in the accomplishment of the organization’s 
objectives, then such measures will also include criteria for assessing the performance 
of the users, or their organizational units using the IS for accomplishing their 
organizational missions. [Ref. 32:pp. 57-58] 

2. The IS Environment 

The IS environment consists of four elements. First, there 1s the environment 
outside the organization within which the IS is embedded. This environment 1s 
relevant to the IS since it produces the technology, products, and services which are 
utilized by the IS to perform its mission Also, this environment is responsible for 
producing the laws, regulations, and standards which affect the behavior of the IS in 
performing its activities. 

Second, the top management of the organization provides the funding, 
direction, and commitment needed to support the IS. It affects the behavior of the IS 
by controlling the intensity levels of the three variables. Such intensity could range 
from high to low depending on the organization’s level of dependency on the IS. A 
high level of dependency would require a high level of funding, commitment, and 


direction in terms of the products and performance it requires from the IS. 
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A third factor is the line, support, and general management components 
(tasks) and structures of the organization. The IS is responsible for providing 
information to these components (tasks) and the structures that are formed to provide 
such components (tasks). Organizational components (tasks) would include line (e.g., 
production, marketing, and engineering); support (e.g., accounting, administration, and 
purchasing); and general management (e.g., strategic planning, capital budgeting). The 
structures formed to perform such tasks include departments, divisions, sections, 
groups, staffs, and offices. 

Fourth, the IS has various types of users of its products, services, and 
resources. Such users are people within and outside (e.g., suppliers, customers, and 
dealers) the organization who are authorized to receive information produced by the IS 
and to utilize its resources. Top management personnel are included as those who 
receive IS products and services as well as utilize IS resources. Consumers are users 
who are authorized to receive IS products and services and to utilize the IS resources. 
Owners are users who have exclusive rights and use over IS products, services, and 
resources. IS resources (hardware and software) are generally owned by the IS. 
Information, however, is generally owned by the organizational components (tasks) 
and structures (e.g., accounting, marketing, production). In a decentralized or 
distributed IS configuration, resources could be owned by the consumers. Custodians 
are users who are responsible for IS products and resources while they are under their 
possession. For example, service bureaus and time-sharing services operate on a 
third-party contractual basis. [Ref. 33:p. 3A-5] 

3. IS Resources 

There are seven types of IS resources. First, IS facilities include physical plant 
and supporting equipment and utilities. Second, IS technology can be either batch or 
on-line. Batch technology involves the processing of a number of similar input items 
which are grouped for processing during the same machine run. There is no interaction 
between the users and the job while it is processing. On-line technology involves the 
processing of data as it is generated. Interaction between the user and the job while it 
is running can take place. Third, hardware consists of units such as central processing 
units; magnetic storage devices; input/output devices; communication controllers; 
modems; terminal concentrators, digital switches; cryptographic devices; and 
multiplexors. A fourth IS resource is software. Software involves operating systems; 


database management systems; communications control software; and applications 
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software. Fifth, the data resource can be divided into various groups such as 
accounting, proprietary, and personal information. Sixth, people are the individuals 
who develop, operate, and manage the IS. Finally, procedures are the standards, rules, 
and policies established to develop, operate, and manage the IS. 

4. IS Components 

lhere are twelve IS components (tasks). Some or all of the IS resources are 
combined to construct each of the twelve components (tasks). In other words, the data 
entry component (task) could involve hardware (terminals); people (data entry 
personnel); procedures (data entry manual or users manual); and data (invoices). The 
combination of these resources forms a component or IS task. Such components 
(tasks) involve data origination, collection, preparation, and authorization; data input: 
data processing; data output; output distribution; storage & retrieval; communications; 
data management; hardware operations; system programming; application program 
maintenance; and system development. A organization may have all or part of these 
components (tasks). For example, a centralized IS configuration may not have a 
communications component (task) if all input documents are mailed or delivered to the 
IS for processing. Generally, the higher the level of IS dependency, the more of these 
components (tasks) an IS will contain. 

5. IS Management 

There are several aspects to the management of an IS. First, the mission of 
the IS needs to be established. This mission should be a reflection of the information 
needs of its environment. Second, a short range (1 year or less), intermediate range (1 
to 5 years), and long range (greater than 5 years) strategy needs to be formulated to 
accomplish the designated mission. Such a strategy consists of overall and component 
objectives; measures of performance; application developments; policies; procedures; 
processes; and rules. It is through such a strategy that the people within the 
organization perform the activities needed to fulfill the mission. 

Third, IS resources will need to be allocated to components to develop and 
maintain classes of IS applications. These classes of applications include transaction 
processing systems (TPS); management information systems (MIS); decision support 
systems (DSS); office automation systems (OAS); strategic information systems (SIS); 
and communication systems (local area networks and wide area networks). 

An application can be defined in two ways. One way involves an 


organization's structural components (tasks). Such applications support general 
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management, line, and support components (tasks). The other way to define an 
application is in terms of its application to various fields of study such as medicine, 
science, military, education, and law. The application systems within the classes are 
developed and maintained over time to fulfill user requirements. 

Fourth, resources, components, and management activities need to be 
structured and deployed. There are three configurations that are generally utilized. [Ref. 
34:p. 16] A centralized configuration entails all data processing and storage capabilities 
at one geographic location, possibly with nonintelligent (non-data editing or local 
storage Capabilities) terminals, either batch or interactive on-line, at other geographic 
locations. On the other hand, independent components and resources in different 
geographic locations which do not communicate are considered a decentralized 
configuration. А distributed configuration entails resources, components, and 
management in different geographic locations which communicate and process 


applications cooperatively. 


C. WHAT IS AN IS SECURITY SYSTEM ? 
1. Security System Objectives 
The basic objective of the IS security system is to provide protection for the 
organization’s IS physical (facilities, hardware, and procedures), logical (software and 
data), and human (people) assets. IS assets are to be protected from a variety of 
threats which could cause modification, destruction, disclosure, and denial of service of 
the assets. The measures of performance for the security system involves how 
effectively and efficiently the assets are protected from the threats which could cause 
such adverse impacts. | 
2, Тһе Security Environment 
The IS security system's environment consists of three factors. First, there 1s 
the environment outside the organization. This environment is relevant to the security 
system since it produces the technology, products, and services which are used by the 
security system. It also produces the laws, regulations, and standards which affect its 
behavior and objectives. 
Second, the top management of the organization provides funding, direction, 
and commitment which 1s necded to support the security system. It affects the behavior 


of the security system by varying the intensity of these three variables. 
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Third, the IS security system is embedded within the IS of an organization. 
Although the security system operationally functions within the IS, it is separately 
managed by the security staff. 

3. Security Resources 

The security system’s resources are controls in the form of security hardware, 
software, people, procedures, and data. The security controls such as security manuals; 
guards; separation of duties; passwords; hardware terminal locking; and restricted 
dial-up access are applied to IS resources. The controls provide the means of linking or 
operationally embedding the security system within the IS. 

4. Security Components 

There are six components (tasks) of the security system. First, the avoidance 
component (task) seeks to avoid threats to assets by removing the potential threat or 
by eliminating or moving assets away from potential threats. An example would 
involve removing a sensitive data file from on-line access during periods of time when 
potential threats are present. This situation could arise during hardware maintenance 
or time-sharing by unknown individuals. 

Second, the deterrence component (task) involves activities to reduce’ the 
threat to assets by reducing the vulnerability of the assets to loss. An example would 
include iibeling all copies of computer programs, data, computer equipment 
documentation, and storage media with warning labels. Such a label could read 
“Unauthorized modification, destruction, disclosure, taking, or use is punishable by 
law”. 

Third, the prevention component (task) involves reducing the frequency with 
which causes of threats occur. Examples include segregation of duties; passwords; 
authorizations; and standardization. 

Fourth, the detection component (task) involves the notice of an attempted or 
actual threat. Examples include control logs; fire detection; hardware checks; operator 
logs; and operating system checks. 

Finally, the recovery and correction components (tasks) involve activities 
Which support the restoration from and replacement of loss. Examples of such 
activities involve the development of contingency plans; off-site back-up: on-site 


backup; and discrepancy reports. [ВеЁ. 12:рр. 299-309] 
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5. Security System Management. 

There are several aspects to the management of an IS security system. First, 
the management of the system 1s responsible for the establishment of the mission or 
objectives of the security system. This mission or objective(s) should be a reflection of 
the security requirements of the security system's environment. 

Second, short range, intermediate range, and long range strategies need to be 
formulated to accomplish the designated mission. Strategies consist of overall system 
and component objectives; measures of performance; policies; procedures; processes; 
rules; standards; budgets; and reviews and evaluations. It is through such strategies 
that people within the organization perform the activities needed to accomplish the 
mission. 

Third, appropriate security resources (controls) should be allocated to 15 
resources to ensure their protection. Such controls take the form of devices, 
procedures, and people. 

Finally, security system resources (controls), components (tasks), and 
management should be structured and deployed within the organization. There are two 
appropriate configurations. One involves a centralized concentration of security 
resources (controls), components, and management. This would reflect a centralized IS 
configuration. The other approach involves a more decentralized structure and 
deployment of security resources (controls), components (tasks), and management. 


Such a configuration would reflect a decentralized or distributed IS configuration. 


D. WHAT IS THE IS SECURITY SYSTEM DEVELOPMENT MODEL ? 

A major objective of this thesis is to provide a conceptual systematic framework 
for defining IS security. This chapter defined an IS security system in terms of its 
objectives; environment; components (tasks); resources (controls); and management. 

The other major objective is to provide a generic development model that could 
be used by an organization to construct a security system within this defined 
framework. Chapters IV to VI are intended to provide an orderly process for 
constructing and maintaining the security system. The development model consists of 
three phases. Each phase will produce various parts of the security system. 

The planning phase will address the development of a security system 
development plan; a defintion of the responsibilities for IS secunty within the 


organization; the establishment of security baseline requirements; the classification of 
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IS applications, data, and transactions; and the establishment of a security policy for 
the organization. The planning phase will produce the security system objectives and 
environment parts of the security system framework. 

The design phase is responsible for producing the security resources part of the 
security system framework. Security resources are the controls which should be applied 
to the IS resources to provide the required level of security based on the classification 
performed during the planning process. The security controls effectively link the IS 
with the [S security svstem. 

Finally, the implementation phase will involve the testing of selected security 
controls; the installation of the controls; and the development of a management 
structure and components (tasks) to manage the security svstem to ensure that the 
security objectives are accomplished. This phase wiil produce the components (tasks) 


and management parts of the security system framework. 
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IV. THE PLANNING PHASE 


I like the dreams of the future better than the history of the past. [Thomas 
Jefferson, Statesman] 


I never think of the future, it comes soon enough. [Albert Einstein, Scientist] 


A. INTRODUCTION 

There are five steps of the planning phase of the IS security system development 
process. First, an organizational security system development group will need to be 
formed. This group will have prime responsibility for formulating security objectives 
and priorities. Also, they are responsible for managing the planning, design, and 
implementation phases of the development process. Second, the responsibilities for IS 
security will be defined for the organization's top management, line management, and 
the IS security staff. Third, IS security policy will be formulated. This policy will 
consist of both security objectives and security priorities. Fourth, the IS security 
environment will be both defined and analyzed. The purpose of this analysis is to 
establish the organization's baseline security requirements. Finally, a security 
classification program will be established. The purpose of this program will be to 
classify IS applications, data, and transactions as to their criticalness and sensitivity. 
This will provide a basis for the allocation of security controls during the subsequent 
design phase. The planning phase will also begin the accumulation of relevant security 
information in an lS security database. Once the information is fully accumulated at 
the end of the development process, the database will provide a means of maintaining 


and managing the developed security system. 


В. SECURITY SYSTEM DEVELOPMENT GROUP 
1. Development Group Members 
There are two approaches for staffing the development group. The first 
approach involves forming a group consisting of representatives from functions that 
relate to 1S security. This group could work on a full-time basis or they could allocate 
limited number of hours per week to the development effort. Such functions include 1S 


operations; hardware maintenance; systems programming maintenance; systems 
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development; quality control; IS standards; application programming; users; database 
administration; facilities management; general security department; the legal staff 
personnel department; and the fire department. 

Each representative must function in the group in isolation from 
representatives of all other functions requiring security. This enables a separation of 
responsibilities and maintains the principle of privilege or need to know. An example 
would illustrate the point. It would be unwise to have a programmer studying 
Operations security. The separaticn of responsibility is a significant organizational 
control. Each assigned representative must be able to devote significant time to the 
group. Such an undertaking requires fixed schedules of work for the group and 
well-planned and coordinated meetings, especially to maintain the necessary separation 
of responsibilities. To accomplish this, the group will require a commitment from the 
organization's top management. 

The second approach for the formation of a development group is to staff the 
group with [S security m augmented by individuals having whatever additional 
expertise 1s required. The security specialists would work on the development on a 
full-time basis. Also, if additional expertise cannot be obtained within the organization, 
then contractual relationships could be established with outside consulting services. 
Ше 55:pp. 107 - ПП 

Each approach offers both benefits and disadvantages. Certainly, the use of 
representatives from a broad range of functions would provide greater knowledge, 
skills, and 1deas. However, the representatives would not be available to serve in their 
normal capacities while participating in the security system development. Also, there 1s 
always the possibility that by exposing critical IS security information to a wide group 
of people, there is a greater risk of intentional or accidental disclosure. 

The use of IS security specialists provides the benefit of specialized knowledge 
and limited exposure to critical security information. However, there may be a cost of 
additional development time since the specialists will need time to become familiar with 
the IS and the organization. Regardless of which approach is taken, an [S security 
manager should be appointed and given the leadership of the development group. 
Finally, the group should contain representatives from both the organization's and the 


IS top management. 


2. Development Group Responsibilities 

The development group will have overall responsibility for the planning, 
design, testing, and implementation of the security system. The security staff will be 
responsible for the system’s management and operations. 

The group’s responsibilities will include the formulation of a security system 
development plan and procedures for monitoring the progress of the plan. Such 
monitoring will include periodic meetings, personal observation’s, and the creation and 
distribution of periodic reports. Estimates of security system staffing; funding; 


development time; and management commitment and direction should be developed. 


C. DEFINITION OF SECURITY RESPONSIBILITIES 
1. Background 
First, there must be a definition of management responsibilities for IS security. 
[Ref. 27:pp. 1-1-6 to I-1-8] IS security is a management responsibility. Each 
organizational level must be responsible for the protection and conservation of its 
assigned resources. IS security is a basic function of management control at each level 
within the organization. 
2. Top Management 
It is the responsibility of top management for making the initial commitment 
to establish an IS security system within the organization. Also, top management has 
the continuing responsibility for providing a responsible and responsive managerial 
climate for the system’s implementation and operation. Such a commitment should 
initially manifest itself in a clear and unambiguous statement of organizational security 
policy and continue in the form of high managerial visibility and concern with the 
effectiveness of the system. 
3. Line Management 
The ultimate responsibility for the protection of IS resources must rest with 
those who utilize or allocate the resources. Midlevel and first-line managers and 
supervisors are well positioned to identify those areas which require protective 
measures and to implement (or request implementation of) such measures. At this 
level, responsibilities for IS security involves the three distinct groups of users 
previously identified. First, IS consumers have three responsibilities as follows: 
9 Ensuring that IS assets are used only for authorized purposes. 


e Implementing and managing authorized IS security programs. 
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е Working with the IS security staff to c risk acceptance and management 
practices when security controls adversely affect operational effectiveness. 


Second, the security responsibilities of IS owners involve: 
е Determining the value of IS assets. 


е Establishing levels of protection and control for IS assets based on their value 
and importance. 


e Establishing access and use criteria for IS assets. 


9 Working with users, custodians, and the IS security staff to monitor compliance 
with the established levels of protection. 


Third, IS custodians have responsibilities which include: 


е Strict adherence to all owner-specified protection and control criteria for IS 
assets in their custody. 


е Maintaining effective overall control to prevent damage or destruction that 
could adversely affect the owner s operational schedule. 


4. The IS Security Staff 

The IS security manager and his or her staff are the focal point for security 
activities within the organization. The staff also provides an advisory function to both 
top and line management. The IS security manager and staff must assume 
responsibility for several activities. In conjunction with top management, they must 
develop an organizational IS security policy and a structure for the assignment of 
security responsibilities for the overall organization and for each functional area. Also, 
they must establish operational standards and procedures for the implementation of the 
IS security programs by managers at all levels. Finally, they must develop and 
implement management systems and procedures for reviewing and evaluating 
organizational IS security programs, disclosing deficiencies, and recommending 


corrective actions. 


D. IS SECURITY POLICY 
1. Background 
ОССО сис decision to establish an IS security system has been. made, a 
management commitment secured, and the IS security manager appointed, и 15 
essential to establish an organizational IS security policy. The objectives and priorities 
of the system must be clearly defined at the beginning to achieve the desired level of 
system performance. There must be a clear understanding as to what is to be protected 


and why it is to be protected. [IRef. 27:pp. I-2-1 to I-2-3] 


7] 


2. Security Objectives 
The organizational IS security system objectives must be defined to establish a 
direction for the system. Such objectives were discussed in Chapter III, Section С. 
However, an organization may decide to modify such objectives to suit its own 
requirements. Once defined, the objectives should be set forth clearly and explicitly in a 
security policy statement. Such a statement should define the powers, rights, and 
accountabilities within the organization at the various levels to accomplish the 
objectives. Finally, the objectives statement should be widely distributed within the 
organization. 
3. Security Priorities 
The organization’s security priorities should be delineated. Such priorities 
translate the general security objectives into more specific requirements that are based 
on the environment and the nature of the security tasks to be performed. There 1s a 
number of factors specific to the organization that will have a major bearing on the 
establishment of security priorities. Such factors include: 

e Organizational Functions. А significant factor involved in setting protection 
priorities 1s the, function or mission of the organization. In highly transaction 
sensitive organizations, such as financial institutions, the highest priority is 
established (ог ӘДЕТТЕ and. monitoring critical transactions. Other 
organizations, such as manufacturing, may be highly process sensitive and the 
priority will be established so as to ensure the confidentiality of trade data 
processed. Service oriented organizations, such as consulting firms, will 
emphasize the protection of client data that would place them at a disadvantage 
should it become known to their competitors. Therefore, the security manager 
and staff must carefully assess the function of the organization when developing 
security priorities. [Ref. 27] 

e Availability of Security Resources. The availability of IS security resources is 
another major determinant. Organizations with „substantial resources 
committed to IS security will necessarily structure their approach differently 
than will an organization with more constrained resources. | КеГ. 27) 

e Level of Dependency. The organization’s level of dependency can be a 
significànt factor for establishing priorities. Priorities could concentrate more 


heavily on ЕЕ Or anticipated resources and applications based on the 
organization's level at the time of security policy formulation. 


E. SECURITY SYSTEM ENVIRONMENT ANALYSIS 
l. Purpose of the Analysis 
The purpose of this analysis of the security system’s environment is to develop 
baseline security information and requirements. This will be accomplished by 
performing research surveys of the organization’s environment, top management, and 
the IS. The information resulting from these surveys should be entered into a security 


database maintained by the security staff. The database will be a significant tool for the 
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development, maintenance, and operation of the security system by centralizing and 
securing the information needed to accomplish all three of these functions. 
2. The Organization’s Environment 

The organization’s environment should be surveyed to determine what security 
must be incorporated within the organization. The security measures result from 
environmental legal and regulatory strictures. The organization’s legal staff, 
consultants, legal research, or professional publications could provide a means of 
obtaining relevant federal, state, local, and international laws that affect security 
system development. However, several significant laws will be briefly outlined as 
follows: [Ref.27:pp. II-1-2 to II-1-5] 

е Privacy Act of 1974 (5 USC 552a) 11 established, policy for collecting, 
maintaining, disclosing, and safeguarding personal information in |едега! 
systems of records. 

е Freedom of Information Act (5 USC 552). It established policy for ы 
disclosure of information, documents, and records maintained by the federal 
government. 

9 Foreign Corrupt Practices Act of 1977 (Е САЩ This act changed the Securities 
and Exchange Act of 1934. It provided that all firms covered under the act (i.e. 
publicly, held) must devise and maintain an adequate system of internal 
accounting controls. 

е Public. Money, Property, or Records (18 USC 64). This law established criminal 
penalties for embezzling, stealing, or knowingly converting to personal use or 
use of another any federal. records or property. 


е Disclosure of Confidential Information (18 USC 1905). This law established 
criminal peralties for disclosing trade information. 


3. Crganization's Top Management 

The organization's top management should be surveyed to determine their IS 
security needs. This survey should extend beyond the members of the top management 
who are participating in the development of the security system. Surveys could be 
conducted using predetermined survey documents; group meetings; or individual 
discussions. Top management should be questioned concerning their opinions of the 
current state of security within the organization; any problems that they wish to 
discuss; their perspections of their security needs; and any suggestions that they may 
have as to the manner in which the security system should be developed, operated, and 
managed. Their security needs should be as narrowly defined as possible in terms of 
information and applications. This is especially important since top management 
generally uses specific kinds of information and applications to perform 15 
responsibilities. For example, top management could be using a strategic planning 


application to support its planning responsibilities. 
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4. The Organization’s IS 

The conceptual framework of an IS, presented in Chapter III, Section B, 
should be used to perform an analysis of the IS. First, the IS should be surveyed by 
the members of the development group to determine its objectives and measures of 
performance. This information 1s important since such objectives and measures of 
performance could conflict with the established security policy. For example, to meet 
all users’ requests for information, the IS may be providing information to users who 
should not be receiving it. Also, its measures of performance may not contain criteria 
for the reliability and protection of information and other assets. 

Second, the [S’s environment should be surveyed. IS users should be identified 
and defined. The identification of users involves determining their names; locations; 
work positions and responsibilities; their powers, rights, and accountabilities as users 
and the justifications for each; the extent of computer Knowledge, skills, and 
experiences; and their history as users of the IS. Also, users are defined as consumers, 
owners, and/or custodians. A user can be defined as one of these, two of these, or all 
three of these types depending upon their rights, powers, and accountabilities. For 
example, a user could have the right to receive information; to own specified IS 
resources; and to act as a custodian for other IS resources. The identification and 
definition of users can be obtained by researching IS records. 

The organization’s line and staff tasks (e.g., accounting, marketing) and 
structures (e.g., departments, divisions) should be accounted for and users identified 
with each one. A survey of all or a sample of users should be performed to determine 
their security needs; problems; and suggestions. Such surveys could be conducted using 
predetermined survey questionnaires; group meetings; or individual discussions. 

Third, IS resources (assets) should be identified. Appendix A provides a listing 
of defined IS assets. Each asset on the list is identified with a unique number. 
Appropriate information should be entered into the security database about each asset. 
Such information should include the names; locations; costs; performance history; 
Operating status (e.g., under repair, fully operating); quantities; purpose of asset; 
producers; associated consumers, owners, and custodians; and identification data such 
as serial numbers, model number, and class number. IS and/or accounting department 
records should be examined to obtain this data. 

Fourth, the component (tasks) of the IS should be surveyed to determine the 


extent of IS capabilities. The IS may not, for example, have a communications or 


40 


systems programming task. Systems programming may be performed under a contract 
with an outside vendor. On the other hand, the IS may not have a communications 
capability if it has a centralized configuration. The IS resources (assets) that are used 
to perform each relevant component (task) should be entered into the security 
database. 

Fifth, the management of the IS should be examined. IS records could be 
researched and discussions held with IS management personnel to obtain some 
significant information. The configuration should be obtained to determine the extent 
of the structure and deployment of IS resources and components (tasks). IS plans 
should be reviewed to gain an understanding as to the planned direction of the IS. 
Existing applications and those under development or those expected to undergo 
development should be included in such information. This would provide some insight 
into determining the organization's level of dependency. Also, the information entered 
into the database should specify the technology and class of each application. All IS 
policy statements, standards, rules, procedures, and guidelines relevant to securitv 
should be obtained and read to determine the current level of management controls 
over its operations. Finally, a history of security violations, problems, and audit results 
should be accumulated and analyzed to determine trends and significant problem areas. 

5. Baseline Security Requirements and Information 

The surveys of the environment resulted in two significant accomplishments. 
First, information relevant to the development, operation, and management of the 
security system was obtained and entered into the security database. This information 
involved environmental laws and regulations which require the organization to secure 
specified assets; top management and user security needs; the IS objectives and 
measures of performance; user identification and definition; IS resources (assets); IS 
components (tasks); the IS configuration; IS plans and established security procedures; 
and the technology and class of each existing and planned IS application. 

Second, the analysis resulted in the establishment of a baseline or minimum 
level of security requirements. These requirements resulted. from the survey of 
environmental laws and regulations and the organization's internal security policy and 


existing procedures relevant to IS security. 
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F. SECURITY CLASSIFICATION PROGRAM 
1. Background 

It is not appropriate to approach the protection of automated systems and 
their associated data assets as a monolithic issue. [Ref 27:p. I-E- 1] In other words, all 
IS applications, data, and transactions need to be afforded the same degree of 
protection. Such an approach to IS security would create several problems. First, all 
applications, data, and transactions do not possess the same level of sensitivity or 
criticalness. For example, an electronic funds transfer system that moves billions of 
dollars daily is, of course, far more sensitive than a capital asset accounting system. 
The same could be said of data. Data regarding an organization’s strategic marketing 
plan requires a higher level of protection than does routine purchasing and accounting 
data. In order to determine effectively the level of protection required bv its 
applications, data, and transactions, organizations must first identify the level of 
sensitivity and criticalness of those assets. Such an approach helps to avoid a situation 
of overprotecting some assets while underprotecting other ones. 

A second problem that arises from a “shotgun” approach to security is that 
protection resources are frequently wasted, incurring unnecessary processing overhead 
and negatively affecting operational efficiency and productivity. For example, an 
unnecessary security software package excessively consume processing time that could 
be used for the processing of applications. Finally, an organization’s inability to 
objectively identify and classify IS applications, data, and transactions according to 
their sensitivity and criticalness makes it difficult (if not impossible) to develop effective 
IS security standards. Without these standards, it 1s impossible to implement either an 
IS security system or an effective program of IS auditing. 

Such problems can be solved by the development and implementation of an 
organization-wide IS Security Classification Program. Three benefits result from such 
a program. [Ref. 27:p. I-E-12] First, the classification of application systems and data 
on the basis of their sensitivity/criticalness permits controls to be allocated based on 
specific protection requirements. This results in a higher level of overall protection and 
reduced costs for security system operation. Second, the objective classification of 
applications, data, and transactions permits system development and maintenance 
personnel to readily identify sensitive and critical areas while implementing and 
maintaining controls during development or improvement. Finally, classification 


permits IS auditing to focus its activities on those applications whose sensitivity makes 
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them targets of fraud or whose criticalness makes their continuity of operations a 
matter of organizational survival. 
2. Establishing the Classification Program 

Implementation of the program should begin with the development of an 
organizational framework in which all IS applications, data, and online transactions 
can be analyzed, evaluated, and classified. [Ref. 27:pp. I-E-1 to I-E-2] One means to 
accomplish such a process would be the establishment of a Security Classification 
Review Committee. Such a committee would set policy and direct the efforts of several 
classification working groups. If this approach is used, the committee should be 
established at the direction of top management and should comprise the IS security 
manager, the IS auditor, and the manager of applications development. 

Upon its formation, the committee should determine the order in which IS 
applications, data, and transactions will be reviewed. Due to the impracticalities of 
reviewing all such items initially, the committee should develop a list from the database 
of those items that it considers the most sensitive and/or critical. Generally, 
applications, data, and transactions should be reviewed in the following order: 

e All online applications currently under development. Basically, it, is less 
expensive and time consuming to apply controls to applications during their 
development. than when they are installed and operational. Also, major 
disruption of IS service could result. 


e Existing online application. systems involved in money movement or 
management (e.g., electronic funds transfer systems, cash management systems). 


e Existing online applications involved in the movement of nonmonetary 
negotiables (e.g., securities trading and movement systems). 


е Existing online applications handling, sensitive proprietary or personal data 
(e.g., strategic planning systems, client information systems, personnel systems). 


е Online applications handling functions critical to organizational operations 
(e.g., ticketing/reservation systems, process control system). 


e All new and existing batch systems. 
Once the applications are identified and ranked in the order in which they will be 
reviewed, the committee must then manage the review process. 
3. Classification Evaluation Criteria 

The next step in the development of a classification program is to formulate 
criteria or variables for assessing the sensitivity and criticalness of the applications. 
data, and transactions. Such criteria will define sensitivity and criticalness levels in 
terms of the level of damage to the organization if specified IS assets are subject to 


destruction, modification, disclosure, or denial of service. 
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Since each organization has unique priorities relative to the sensitivity and/or 
criticalness levels of its applications and data, the Classification Review Committee 
should carefully evaluate the environmental analysis results previously discussed to 
determine the levels of protection required. Such an evaluation should be based on 
two basic properties of application systems, data, and transactions - sensitivity and 
criticalness. 

a. Sensitivity 

Sensitivity is the degree to which the organization will suffer damage of 
some tangible and/or intangible form if application systems or the data and 
transactions they store and process are subjected to one of the following: [Ref. 27:pp. 
1-Е-2 to I-E-3] 


е Compromise. Compromise may involve unauthorized disclosure of data (either 
accidentally or maliciouslv) or the theft of resources. 


е Modification. Modification includes all types of modification, either accidental 
or malicious, that could result in fraud, damage to reputation, injury to 
competitive posture, embarrassment, or other negative impact on operations. 


An analysis of applications, data, and transactions relative to their impact 
on overall operations if compromise or modification should take place needs to be 
performed by the review committee. A multilevel sensitivity classification matrix should 
result from this analysis. There are five parameters or variables which need to be 
considered when assessing sensitivity. [Ref. 36:pp. 2-4] 


е Competitive Value. The actual or potential value that the, data could have to 
other organizations. Such value can be quantified, such as in terms of potential 
dollar loss of business or service to customer or client, effect on market share, 
impact on net income, potential or unfavorable PL and so forth. The 
basic assumption is that the greater the value of data to a competitor, the 
higher the lével of sensitivity. Therefore, the more stringent the controls that 
should govern,its accessibility, usage, and disposition. Examples of data with 
such competitive value include data on the organization’s current product 
(customer-satisfaction surveys, customer’s master list, customer’s list with 
products installed, marketing surveys, planned enhancements, list о 
distributors, design specifications, and cost figures), new product (design 
specifications, marketing surveys, competitive analysis reports, and potential 
customer list), and strategic planning (diversification plans, financial plans, 
planned acquisitions, and new product direction) [Ref. 33:pp. 6-7]. 


е Fraud Potential. This involves the extent, to which the data could be used for 
personal monetary gain by those within or outside the organization. An 
example would involve any report indicating savings account, activity that could 
be used to move money between accounts and reduce the risk of etection by 
operating within a time frame which 1s consistent with normal account activity. 
The basic measurement is the potential dollar loss to the organization if a fraud 
is perpetrated using the data being evaluated. 


e Legal Liability. his involves the likelihood that the organization will be 
su ү to legal action if the data is improperly disclosed. Also, legal liability 
could result during the normal course of business if data proves to be false or 
Inaccurate (e.g., the 10-K or the annual report). This analysis variable could be 
expressed in terms of the cost of fines/htigation., Data of this nature involves 
such areas as personnel, health, credit, financial, account balance, salary, 
performance, and name and address data about individuals or organizations. 
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е ”Newsworthyness”. This is data which is or could be considered newsworthy by 
the media or special-interest groups. The пиар remise of this, variable 15 
that 1f the data 1s considered newsworthy by any of these organizations and is 
not made public through normal public relations channels, the data may be 
Gistorted or misinterpreted. 


e Financial Exposure. Financial exposure involves the dollar value of the assets or 
liabilities of the, organization. The commercial loan portfolio, for example, of a 
bank is a significant asset. On the other hand, commercial deposits are a 
significant liability. Since both of these financial items are volatile and represent 
s value, they would place higher on the criticalness scale than data about 
fixed assets. 

Although organizations have varying needs in terms of sensitivity levels, the 
classification process has many common factors. Appendix B presents a sensitivity 
matrix that can be expanded or abbreviated to meet specific requirements. It is offered 
as one means of structuring the sensitivity classification. However, an organization 
may develop whatever approach it regards as appropriate to perform the classification. 
The sensitivity levels (A-F), the numeric ratings (0-5), and the impact values (e.g., more 
than 510 million) could vary depending on the particular circumstances of the 
organization. For example, an organization’s size may be so small that the impact scale 
should only have a maximum of $100,000 rather than more than $10 million. Each of 
the six sensitivity levels is assigned an equivalent numeric rating. For example, 
extremely critical and extremely sensitive are each assigned a numeric rating of 5 since 
they represent the highest levels of sensitivity and criticalness. 

b. Criticalness 

Serious loss can result to an organization 1f it sustains serious damage from 
denial or impairment of applications or data. Criticalness is a means of assessing the 
type of backup, recovery, and contingency procedures employed to ensure continuity of 
operations of critical components (tasks). There are six criteria or variables which need 
to be considered when assessing criticalness. [Ref. 37:pp. 2-4] 

е Cost of Creation. This involves the cost in terms of time, manpower, facilities, 
services, and out-of-pocket expenses to create the resources and components. 
For example, research data 2 product or market research) 1s. generally 
collected and recorded (“created”) over an extended pesioc ol отсе 
significant or real value of the data may come from the conclusions drawn from 
it. Computer software represents a major example of the value of an IS resource 
which could exceed its recorded or development value. 

9 Cost or Difficulty of Reconstruction. This involves the effort, which have to be 
expended and the cost which would have to be incurred if the resource or 
component had to be reconstructed following its destruction or loss of its 
integrity. Such is often the case with archival records. Both cost of creation, and 
cost or difficulty of reconstruction shouid consider existing backup provisions. 
When these exist, cost evaluations must consider reprocessing, premium costs 
that could be incurred for additional resources to facilitate reprocessing, and 
costs of diverting existing resources from normal organizational activities. 


¢ Impact on Management Decisions. This variable involves the extent to which 
management decisions could be affected if data becomes unavailable or its 
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integrity_is violated. An example, would be a problem with a bank’s loan watch 
report. This report is used to identify potentially troublesome loans. If this 
report becomes unavailable, the number of bad loans mu Increase because 
lending officers would not have the information they need. Therefore, in this 
case, data can be viewed as impacting important decisions involving customer 
relations or activity. 

е Дуан Constraints. This variable involves the extent of the delay which 
can be tolerated between the time data is requested and the time when it 1s 
made available. For example, a 24-hour or more delay in providing a checking 
account customer with a list of all debits and credits against his or her account 
for the past 30-days should be reasonable. However, information about the 
bank’s reserve position must be made available within a few hours after the 
close of the day s business. 

ө Retention Constraints. Such constraints involve the degree to. which retention of 
the data is required by regulatory agencies and/or organizational management. 
An example would Бе certain segments of personnel data that must be retained 
for a period of time specified By the Internal Revenue Service (IRS), Equal 
Employment Opportunity Commission (EEOC) and other government agencies. 

ө Processing Constraints. This involves the degree to which the processing of the 
data is governed by organizational needs, management requirements, or 
regulatory demands; and the degree to which other resources and components 

depend on the availability and integrity of the data. Checks, for AS should 

be processed for clearing within 24 hours; customer funds must be transferred 
within the agreed-on time frame; the bank’s reserve position must be determined 
at the close of each business day. In each case, the data needed to perform the 
required functions has processing constraints. 

Using such criteria, criticalness classification levels could be developed for 
analyzing applications, data, and transactions. Appendix. C presents a criticalness 
matrix that can be expanded or abbreviated to meet specific requirements. As with 
Appendix B, each of the levels is assigned a numeric rating to represent its relative 
significance within the level (e.g., 5 1s a higher level than 4). Also, this matrix 1s offered 
as one means of structuring the criticalness classification. It 1s rare for sensitivity and 
criticalness levels to coincide. A specific transaction may be extremely critical to overall 
operations but may present no potential for fraud or other misuse. Therefore, a 
classification. scheme should be developed for each of these properties, with the 
continuty of operations of applications being given the same consideration as 
protection against modification or compromise. 

At this time, it is important to stress caution when using Appendices B, C, 
and G. These three were constructed using an ordinal measurement scale. As indicated 
in the appendices, this scale only represents position in an ordered series. It does not 
represent the magnitude of the difference which exists between the successive positions 
in the scale. In other words, sensitivity level A with a numeric rating of 5 indicates that 
it is of greater significance than E with a numeric rating of 1. However, it is not 
necessarily five times as great. In fact, $10 million with a numeric rating of 5 is a 


thousand times greater than $10,000 with a numeric rating of I. 
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On the other hand, a numerical assignment of a ratio scale reflects identity, 
order, and differences in magnitude. An example of such a scale would involve 
measuring height by a yardstick. A person with a height of six feet is twice as tall as 
someone who has a height of three feet. In the case of the three appendices, this would 
mean, for example, that sensitivity and criticalness level A would be five times as great 
as level E. [Ref. 38:pp. 62-64] 

The use of the ordinal scale will prove useful for several reasons. First, it 1s 
difficult to establish precise dollar limits for the various levels of sensitivity and 
criticalness. Extremely sensitive, for example, is greater than highly sensitive but no 
defined criteria exists to establish precisely by how much of a difference does exist. 
The determination of the difference becomes a matter of professional judgement and 
historical experience. Second, the dollar range of the scale will vary depending upon the 
size of the organization. A large organization may have a dollar scale as large or larger 
than the one presented in the appendices. For example, a small organization may have 
the range $100,000 to $1,000,000 as the top level of the scale. On the other hand, a 
larger organization, may have a top level of more than $100 million. Third, it must be 
emphasized that a numeric rating of 5 does not necessarily mean that an application 
program, for example, would require five times as many controls and attention as an 
application with a rating of 1. Тһе rating is a guideline that should be used in 
conjunction with other factors during practical design to apply a sufficient level of 
protection to assets. The various classification levels also provide a means of classifying 
known controls by those levels where they can be most effectively applied. 

c. Classification Program Implementation 

Upon the establishment of the levels of sensitivity and criticalness, the 
Classification Review Committee must set policies and guidelines concerning 
implementation of the program. The committee must consider two key areas in doing 
this. First, there is the issue of classification authority. Authority for assigning 
sensitivity and criticalness ratings should reside with the user of the application or data. 
It is the user who will ultimately feel the impact of the compromise or modification of 
data or the denial of service. Therefore, ownership of all applications and appropriate 
data must be clearly assigned to user organizations, which then assume complete 
responsibility for determining the classification levels of their respective applications, 
data, and transactions. However, the results of user classifications should be reviewed 


by the committee. This is necessary to prevent under- or over-classification of assets. 
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Operational managers using IS resources should be formally delegated (in 
writing) by top management through the Classification Review Committee, the tasks of 
reviewing applications, data, and transactions in their task areas and of assigning 
classification levels to these resources. Responsibility for this review should be placed 
at a high enough level within the user community (e.g., vice president, manager) to 
ensure that it receives adequate management attention. 

Second, once classification authority has been assigned, the appropriate 
managers must be required to submit a schedule of classification review and evaluation 
action to the review committee. The committee then needs to actively monitor review 
and classification activities within the various task areas. Timely action can be ensured 
if the internal audit function also monitors progress as part of its regular controls 
review. 

In addition to its oversight responsibilities, the committee should establish 
procedures to ensure that all new resources are reviewed and classified during 
acquisition or early in their development life cycle. Also, provisions should be made to 
reevaluate resources periodically (e.g., every two years) to ensure that assigned 
sensitivity and criticalness are still adequate and appropriate. 

4. Classification Review Process 

Individual classification working groups should perform the actual review and 
analysis of the sensitivity and criticalness of application systems, data, and 
transactions. [Ref. 27:pp. I-E-5 to I-E-12] Such groups, appointed by those managers 
having classification power and responsibility for applications and data, should 
comprise representatives from IS security; IS auditing, applications systems project 
management, and user management. The level of sensitivity and criticalness should be 
recommended by the working group to the responsible manager, who makes the final 
decision concerning classification. 

a. Data] File Classification Review 

The first step in this process is to perform the Data/File Classification 
Review. The working group should identify each file used by the applications and 
analyze it using Appendices B and C. This analysis of sensitivity and criticalness is 
based on several factors. First, the organization’s history may prove a valuable source 
of information for estimating the various classification levels. For example, the 
disclosure of competitive data could have resulted in loss of business or the gain of 


business for another firm. Second, various laws may specify the classification levels of 


48 


various data such as personal or health data. Third, the professional judgment of the 
working groups could play a significant role in deciding on the classification levels. 
The results of the review should be entered into the security database. The information 
to be entered includes the name and/or alphanumeric file designator; applications using 
the file should be identified and a functional description of the file’s data. Each member 
of the working group should then independently assess the sensitivity and criticalness 
of each file using the criteria of Appendices B and C. The members of the working 
group should jointly examine their findings and agree on the rating to be given the file 
in each of the four sensitivity/criticalness areas. Using the numeric ratings assigned in 
these categories, the group should then assign an overall sensitivity/criticalness level for 
the file based on the matrix presented in Appendix D. As the appendix indicates, 
extremely sensitive (A) and extremely critical (G) are assigned the same numeric rating 
of 5. It is rare for the two to coincide. For example, a specific transaction may be 
extremely critical to overall operations (5) but may present no potential for fraud or 
other misuse (0). The ratings are assigned to provide some means of assessing the 
relative significance for the varying levels of sensitivity and criticalness. The sensitivity 
level is determined by the highest of the three sensitivity ratings. For example, if the 
competitive data level is A (5), the data with fraud potential is E (1), and the privacy 
data is at F (0), then the overall sensitivity is rated at the highest of the three which 15 
A (5). The overall sensitivity/criticalness level should then be entered in the database 
for that specific file. 
b. Transaction Classification Review 

If the application system being evaluated is an online application, the next 
step is to perform a Transaction Classification Review. While the data/file classification 
review defines sensitivity and criticalness at the database or file/data set level, 
sensitivity and criticalness for online applications must also be defined at the 
transaction level. Therefore, the group must identify each online transaction and its 
sensitivity and/or criticalness level. There are two approaches for transaction 
classification. 

The first approach involves having the application development manager 
identify all files accessed by the transaction. This information should then be entered 
into the security database. The sensitivity and criticalness levels of the online 
transaction should be determined in the same manner as the data/file review previously 


discussed. 
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The second approach 1s to classify transactions by generic type and assign a 
ranking to each based on their scope and function. The following are the basic types 
of transactions, ranked in order from the most critical to the one requiring the least 
protection. [Ref. 39:p. 69] 

е Туре 1. These transactions affect the total IS operation. There exists the 
potential that damage or a complete shut down could affect the entire IS 
Operation. 

е Туре 2. These are transactions that directly relate to the IS security svstem 
itself. There is the potential that a transaction would render security software 
inoperative. 

ө zu 3. These transactions are not bound to any specific applications. 

xamples, involve debuggers and software tools that enhance programming 
productivity. There exists the potenta, that a debugger, for example, could. be 
used to access security files and gain access to passwords and user identification 
codes. 

е Type 4. These are the so-called “back-door” transactions which are designed 
into the third-party software. A back door is_a simple transaction, that a 
Раоа анте, designs into his or her program so that he or she can get into the 
application file quickly for debugging, and maintenance. Since only the 
programmer is aware of this transaction, and it isn't published in the 
documentation, users have no way of learning it. 


е Type 5. These, transactions within an application program that are used to 
update application files. 


е Type 6. These are inquiry transactions which are not bound to a specific 
application. 


е Type 7. These are inquiry transactions which are specific to a given application. 
е Туре 8. These are transactions with no security associated with them. 
c. Applications Review 

The third step in the review process is the analysis of the overall level of 
sensitivity and criticalness of the application. In this phase, the working group 
identifies the application and provides a brief functional description of overall 
application operation. All files and transactions identified and analyzed during the 
previous two processes and their associated sensitivity and criticalness data are then 
entered into the security database. This presents the working group with a profile of 
the application, including its data and transactions, as well as an objective basis for 
determining application classification 1n terms of sensitivity and criticalness. 

In developing overall application ratings, the working group should analyze 
the sensitivity and criticalness levels of all files and transactions within the application. 
The ratings assigned to the application should reflect the highest level assigned to any 
of the constituent parts (e.g., a rating of Extremely Sensitive for any file or transaction 


would render the entire application Extremely Sensitive). This ensures that the level of 
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security and management review afforded the application will be sufficient to protect 


the integrity of all its data and transactional parts. 


G. CONCLUSIONS 

The planning process resulted in the accomplishment of several significant results. 
First, a development group was established to perform the planning, design, and 
implementation of the security system. Security system development plans were 
formulated with estimates for staff, funding, and time requirements. Second, the 
security responsibilities of top, line, and security managements were established. Third, 
an IS security policy was formulated. This policy established both security objectives 
and priorities. Fourth, the laws and regulations which impose mandatory security 
requirements on the organization were identified along with any relevant organizational 
IS security policies and procedures. Fifth, top management and user security needs and 
concerns were identified. Sixth, IS assets and users were defined and identified. Finally, 
a Security Classification Program was established. IS applications, data, and 
transactions were identified and assesed as to their sensitivity and criticalness. The 
accumulated information was entered into the security database. The information will 


be used as input to the design process which will be subsequently discussed. 
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V. THE DESIGN PHASE 


It’s or. the path you do not fear that the wild beast catches you. [An African 
Proverb] 


А. INTRODUCTION 

The design phase involves a process which results in the establishment of the 
security resources (controls) part of the IS security system. Such controls are applied to 
the resources (assets) of the IS to provide the required level of protection for the assets. 
This application of security controls to IS assets results in the linkage or connection 
between the IS security system and the IS. This linkage is produced by a process 
consisting of five activities. First, threats to assets will be identified. Second, an 
assessment will be conducted of the impact of such threats upon the assets. This will 
involve assigning values to each asset including the logical assets (software and data). 
Third, a determination as to the current security posture of the IS needs to be 
performed. This will result from the information accumulated in the security database 
during the planning phase as well as a security survey. The current security posture will 
be compared with the results of the threat assessment to determine whether the current 
level of protection is adequate to counter identified threats. If the current level is not 
adequate, then a state of vulnerability exists. Fourth, a logical design should be 
performed. This design represents a “virtual” design since all identified assets and 
threats are matched with all possible controls needed to counter such threats. Also, it 
represents the maximum possible protection that an organization could develop. Fifth, 
a practical design should be developed based on the utilization of specified criteria and 
constraints to the logical design. This practical design will result in a control 


configuration consisting of assets, threats, and selected controls. 


В. A RISK ASSESSMENT 
1. Background 
The activity of a risk assessment involves a detailed examination of the assets 
and procedures of the IS; the vulnerabilities of the existing controls; and the threats 
that may exploit such controls and result in the disclosure, modification, 


destruction/damage, and denial of service of assets; and a determination of the current 
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security posture of the organization. (Ref. 40:p. E-1] The purpose of the assessment is 
to help top management, IS management, and security management strike an 
economic balance between the impact of risks and the cost of protective controls. A 
secondary benefit is the increased security awareness which will be apparent at all 
organizational levels. [Ref. 41:p. 3E-2] There are three tasks needed to accomplish the 
risk assessment. First, threats which are existing and potential to assets will need to be 
identified. Second, the economic impact of such threats will need to be estimated. 
Third, a survey of existing security controls which are applied to counter those threats 
will need to be conducted. A subsequent assessment will be made to determine the 
extent of the vulnerability of the assets to those threats. 
2. Threat Identification 

ihe first task of the risk assessment activity is to perform a threat 
identification. During the planning process, IS applications and their associated data 
and transactions were classified. The purpose of the classification was to determine the 
relative criticalness and sensitivity of the applications, data, and transactions. In effect, 
all applications, data, and transactions were prioritized based on defined criteria. The 
prioritization will play a significant role during the actual allocation of security controls 
within the IS as will be demonstrated during practical design. 

Threat identification will involve an identification of threats to the assets 
which are used to form such applications, data, and transactions. As discussed in 
Chapter III, applications are what IS management develop to accomplish its 
objectives. Facilities, hardware, software, data, people, and procedures are combined 
and allocated to form the applications. 

A threat to an IS asset is any circumstance or set of circumstances that 
possesses the potential to cause harm. [Ref. 27:p. II-2-1] There are several means to 
perform an identification of threats. First, the security database should be accessed io 
provide a source of threats. The database contains the history of security violations 
and problems which were recorded during the planning phase. This information should 
involve the causes and frequency of violations and problems. Also, the nature and 
locations of assets and components (tasks) can provide insight into threats. For 
example, IS assets may be located in geographic areas which are suspectible to flooding 
and snowstorms. Also, the IS may contain a communications component (task). 
Therefore, there is the threat of the failure of communications software. Second, 


professional publications from such organizations as the Computer Security Institute 
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could provide information regarding possible threats for specific assets. Third, 
professional consultants specialize in performing risk assessments and could provide 
information on various threats. 

Appendix E contains a listing of threats and some examples. [Ref. 27:pp. 
[I-2-1 to II-2-17] The threats are categorized as to their primary cause or source. 
Natural occurrences, such as floods and fires, pose a threat to all assets. Human 
intervention cannot eliminate these threats. Prior planning or controls implemented 
cannot prevent their occurrence completely. However, by acknowledging the presence 
of a threat, the organization can take steps to minimize its damage. Another source of 
threats involves the technical operation of supporting utilities, hardware, and software. 
Such threats may result from problems beyond the control of the organization (e.g., 
failure of the supporting electrical utility or the communications common carriers) or 
from negligence on the part of organizational personnel (e.g., improper maintenance of 
heating, ventilating, and air conditioning equipment, failure to follow established 
procedures for operation of hardware). Next, human accidental threats represent the 
most common threats to IS operations. These involve errors or omissions on the part 
of the personnel of the organization. The final category of threat presented in 
Appendix E represents hostile acts of malicious intent on the part of persons within or 
outside the organization. An inventory of threats and estimates as to their probabilities 
should be maintained and updated in the security database. Appendix F is an matrix 
which matches each asset with the events that pose a threat to it. This matching of 
asset to threat is one that has developed from historical experience as well as from 
professional testing and research. 

3. Impact Analysis 

The purpose of an impact analysis 1s to assess the damage which could result 
from an unfavorable event (threat) and an estimate of how often such an event may 
happen. The damage can be expressed as the destruction, modification, denial of 
service, and disclosure of assets. These forms of damage can be measured in both 
monetary and nonmonetary terms. However, the nonmonetary impact should be 
converted to an approximate monetary impact. This will permit sufficient comparisons 
between alternative security controls. There are four steps needed to perform the 


impact analysis. An explanation will be made of each of the four steps. 


a. Step One 
The first step in the analysis is to determine how broadly or narrowly to 
define the assets contained within the security database (Appendix A). For each 
defined asset, all units of this asset should be in the same physical area, protected in 
the same manner, and subject to damage by the same threats. If one unit of the asset is 
damaged, either all other units must be highly likely to be damaged in a similar way, or 
the entire asset should be rendered unusable. For example, six identical computers are 
to be considered as six separate assets because damage to one of them would not imply 
damage to all of them. On the other hand, do not regard a single computer as a 
collection of subparts, since if one of these components were to fail, the entire 
computer would be damaged to a similar level. Also, it may not be practical to break 
data assets down to individual files (tapes, disc packs, etc.) for the purpose of assigning 
an impact value. [Ref. 40:p. E-4] 
b. Step Two 
The second step of the analysis is to determine which impacts would affect 
the designated assets. The following definitions of impact areas should be used: [Ref. 
40:pp. E-4 to E-6] 


е Modification. The value of logical (software and data) assets should be based 
on the cost to correct the consequences of the, modification and/or the, cost of 
locating and recovering from the modification itself. The value of physical and 
human assets (facilities, hardware, and people) should be based on the total 
cost to detect, locate, and correct the modification. 


е Destruction. Destruction results in the loss of the asset. The value of the asset 
should include the cost to reconstruct or replace the asset, as well as the costs 
incurred from denial of service caused by the destruction. The impact values of 
software or data assets should be based on the cost to replace the asset. This 
value should include the cost of reconstructing the asset from scratch, or the 
cost of importing and i: a copy of the asset. Labor costs required for 
this reconstruction should be inciuded. As many factors as possible should be 
considered in determining the value. For example, if reliable backup tapes are 
readily available, the impact of destruction of à data or software asset mav be 
negligible. Hardware and procedural asset парас, values should be based on 
replacement or reconstruction of the asset. Generally, this would include the 
purchase or construction price of the replacement. However, in some cases, 
relocation costs might be considered. 


е Disclosure. All financial, а and personal data should be assigned an 
impact value for the impact of disclosure. 


ө Denial of Service, This estimated value should include the, costs incurred from 
all denial of service, except for that caused by the destruction of the asset. For 
example, a power outage to hardware mav result in denial of service to users 
without actually destroving the hardware. The impact values should be based, 
when possible, on additional costs incurred and penalties assessed due to delays 
in job completion. Also, an impact value should be assigned for denial of 
service if operations should be delayed. or cancelled or if appreciable delays 
result. The quantification of such intangibles should be based on a typical case 
and consider the extent of the denial and the importance of the operation or 
decision. A denial of service value should be assigned to key personnel if their 
absence would result in delays similar to those outlined above. 
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с. Step Three 

This step involves estimates as to the monetary and nonmonetary impacts 
for each of the four impact areas just discussed. If the impact area affects the asset 
contained in the database inventory, then the economic loss which would result from 
the impact should be estimated. This loss can be measured in both monetary and 
nonmonetary terms. However, the nonmonetary impact should be converted to an 
approximate monetary impact to permit sufficient comparison between alternative 
security controls. 

The National Bureau of Standards (NBS) [Ref. 4]l:pp. 3E-6 to 3E-8] 
indicates that the time needed for the analysis will be considerably reduced, and its 
uscfulness will not be decreased, if both monetary and nonmonetary impact and 
frequency estimates are rounded to the factor of ten indicated in Appendix G. There 
will be no significant difference in the overall exposure whether the damage from a 
specific threat is estimated at $110,000 or $145,000. Also, assigning value to such 
things as loss of career caused by disclosure of confidential information or suffering 
caused by undue delay in the delivery of an annuity check is, in fact, more readily 
performed in orders of magnitude (1, 2, 3, etc.) than in actual figures. 

The sources for impact estimates include the organization's historical 
accounts of security violations and problems; suppliers of the various assets; and 
professional consultants. Using the estimated monetary impact amount, refer to 
Appendix G and select the corresponding impact value rating (1, 2, 3, 4, 5, 6, 7, and 8) 
and enter this data into the database for each asset when appropriate. In other words, 
for a given asset, an impact rating of from one to eight should be assigned to each of 
the four impact areas of modification, destruction, disclosure, and denial of service. If 
the impact does not affect the asset, then no entry is made for that asset in the 
database. For example, disclosure of privacy data has a definite impact. However, 
disclosure of the software program that processes that data may not have an impact. 
Sufficient information which supports the impact value rating assigned should also be 
entered into the database. [Ref. 40:pp. E-1 to E-9] 

d. Step Four 

The final step involves the computation of the annual loss expectancy 
(ALE). If the impact of the threat, i.e., the precise damage it could produce, and the 
frequency of occurrence of that threat, i.e., the exact number of times it could happen, 


could be specified, the product of the two would be a statement of loss. However, since 
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the exact impact and frequency can usually not be specified, it is only possible to 
approximate the loss with an ALE. This represents the product of the estimated impact 
usus CD) and the estimated frequency of occurrence per year (F). For ease in use, the 
orders of magnitude for estimated frequency of occurrence can be indexed as shown in 
Appendix G. 

The National Bureau of Standards (NBS) has developed the matrix 
presented in Appendix H. It could be used to compute the ALE of each asset for each 
of the four impact areas. The impact value and the frequency of that impact will be 
estimated for the appropriate asset/threat combinations which are recorded in the 
database. This will be accomplished by matching the estimated impact (1) and 
frequency (f) values for each threat that is associated with a given asset. The 
intersection of these two values in Appendix H results in the ALE. Therefore, for each 
threat that 1s associated with a given asset, there could be ALE values for the four 
possibie impact areas of disclosure, destruction, modification, and denial of service. The 
four step process just described assumes that threats are mutually exclusive and does 
not account for their intersection. The results of the impact analysis should be recorded 
in the database. 

The information which results from the impact analysis and recorded in the 
database could be summarized in several ways. First, for each individual 
asset/threat/impact area combination, there are estimated impact, frequency, and ALE 
values. Second, the total ALE for each asset within an impact area (destruction, 
modification, denial of service, and disclosure) can be derived. In other words, the ALE 
for all database management systems (DBMS) that are subject to destruction can be 
described. Third, the total ALE by individual threats within an impact area can be 
obtained. In other words, the ALE for the unauthorized modification of application 
software can be obtained. One example would involve the total ALE for the threat of 
unauthorized modification of application software. Fourth, the total ALE for each 
impact area can be determined. For example, the total ALE for the disclosure impact 
area can be obtained. Finally, the total ALE for all four of the impact areas can be 
determined. This would represent the total estimated loss that the organization would 
face from the four combined impact areas of modification, destruction, disclosure, and 
denial of service. It is important to stress that each of these estimated values will 


change as revised estimates are made of impact (1) and frequency (f) variables. 
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e. Vulnerability Assessment 

The final step in the risk assessment 15 the performance of a vulnerability 
assessment. This assessment involves three items. First, an asset subject to loss. 
Second, a threat(s) to that asset that could result in damage to it. Third, the state of 
security, in terms of the lack of or weak controls, that would allow the threat to cause 
damage. Asset and threat information are already recorded in the database. A survey of 
the security controls which have been applied to IS assets will need to be performed. 

Appendix I provides a listing of security controls which can be applied to 
assets to provide protection from various threats. Each listed control is assigned an 
identifying number. A survey should be performed to determine which of these 
controls, if any, are currently applied to IS assets. IS records should be reviewed and 
personal inspections made to determine the extent of the controls applied to assets. If 
the controls applied against assets to counter threats are insufficient to adequately 
protect the assets then vulnerability exists. [Ref. 35:p. 166] 

The degree of adequacy of existing controls can be determined in several 
ways. First, the database should contain whatever information is available regarding 
the history of security violations and problems of the IS. The historical performance of 
the controls can be reviewed to estimate the degree of adequacy of the control in 
countering specified threats. The historical records may reveal vulnerability. Second, if 
history is not available or is immaterial in volume, then control reliability information 
could be obtained from outside sources. Such sources could include professional 
publications and vendor material. Third, tests could be performed to estimate the 
reliability of existing controls against a variety of threats. The threat conditions 
applicable to the asset could be simulated and the reliability of the controls applied to 
those assets estimated. Examples would involve both physical and logical access 
attempts; the inputting of erroneous data; and power failures. The results of the 
vulnerability assessment should be recorded in the security database. The discovered 
vulnerabilities should be ranked based on which provide the greatest, great, and least 
threats to the previously classified applications, data, and transactions. For example, 
does vulnerability 1 pose the greatest, great, least or no threat to all applications, data, 
and on-line transactions which were classified as extremely sensitive and critical, and so 
on? This threat to the various applications, data, and transactions should be expressed 
in economic terms as was previously discussed. The results of the vulnerability 


assessment should be recorded in the security database. 
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С. LOGICAL DESIGN 

Logical design involves the expansion of the currently existing inventory of 
controls contained in the database to include all possible controls which couid be used 
to counter identified threats. This expansion leads to the development of what may be 
called a “virtual” design since all identified assets and threats are matched against all 
possible controls needed to adequately counter such threats and protect the assets. 
Other things being equal, logical design represents the maximum possible protection 
that could be applied without regard for such factors as funding limits and the 
adequacy of the current level of protection. This design represents an inventory of 
appropriately matched controls. Appendix J provides a matrix which consists of 
controls which are identified with specific threats and assets. It matched each 
asset/threat combination which was identified in Appendix F with corresponding 
controls. This information should be entered into the security database. 

Controls can be identified from several sources. First, the organization may have 
existing controls and historical records of their performance and suppliers. Second, 
there are organizations that provide such controls such as vendors who produce and 
market security software packages and fire detection devices. These vendors provide 
demonstrations of their products and offer material describing their characteristics. 
Third, professional publications provide information on existing and newly developed 
security controls. Fourth, vendors offer public fairs of their products at different 
locations throughout the country. 

As much information as possible should be recorded about the controls in the 
database. Such information would include the control name; purpose; 
series/model/class/type/line; vendor; cost; ease of use; reliability; development and 
installation time; state of the art status; availability; insurance requirements; skill level 
needed to develop, install, and operate; and possible impacts on IS performance and 
availability if employed. The logical design will be used to support the practical design 


which follows. 


D. PRACTICAL DESIGN 

The practical design involves the construction of a configuration of assets, 
threats, and controls which will be applied to the threats to protect the assets within 
specified constraints. The logical design matched each asset and threat combination 


with a number of controls which could be used to counter the threats. However, due to 
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several reasons, all the controls cannot or should not be applied to the assets to 
counter the threats. 

First, the practical design is subject to funding constraints which were imposed 
by top management during the planning phase. Second, specific IS applications, data, 
and transactions were previously classified as to their sensitivity and criticalness during 
the planning phase. Each application and its associated data and transactions were 
assigned levels of criticalness (extremely critical, highly critical, critical, moderately 
critical, minimumally critical, and noncritical) and sensitivity (extremely sensitive, 
highly sensitive, sensitive, moderately sensitive, minimumailly sensitive, and 
nonsensitive). Therefore, applications, data, and transactions can be prioritized based 
on their criticalness and sensitivity. One application, for example, could have a higher 
priority than another application. The higher prioritized application would justify more 
protection over one that is less in priority. Third, the previously performed 
vulnerability assessment could have revealed that the surveyed classified assets were in 
various states of protection due to the strengths of the existing applied controls. 
Therefore, some of the prioritized assets will require the additional application of 
controls and some assets will not. Fourth, the controls which are recorded in the 
database can be further divided as to their applicabilities by sensitivity/criticalness 
levels. In other words, some controls are more effective against extremely critical 
applications and some are not. 

The personnel responsible for the practical design must select the most 
cost-effective controls from among those listed in Appendix K. The appendix is a 
breakdown of the total number of controls listed in Appendix [. It applies each of the 
controls to specific sensitivity and criticalness levels. This matching of control to 
classification 1s one that results from historical experience and testing of the controls to 
determine their capabilities and reliabilities. For example, control number 34.1 involves 
the locking of all data and program files in a fire-resistant room or container when not 
actually in use. The access to the files should be limited to authorized personnel only. 
This control has proven to be applicable to all six levels of criticalness. The cost of 
each control as recorded in the database should be considered in three different ways: 
first, in regards to the ALE reduction that it brings about, then the total cost of the 
combined controls should be considered in relation to the net ALE reduction, and 
finally the additional ALE reduction by each contro! should be compared to its share 


of the total cost. For a control to result in a monetary savings, the amount saved over 
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the life cycle of the control must exceed the cost of its installation and maintenance. 


Any control which meets this specification is considered cost-effective. [Ref. 40:p. E-10] 


THREATS ITEMS A B С D 
| а $20,000 520,000 518,000 
| b 9,000 15,000 8,000 
1 (с 11,000 5,000 10,000 
2 E 10,000 12,000 
2 C 10,000 12,000 
3 a 4,000 6,000 
3 b 1,000 
3 с 3,000 6,000 
4 а 2,000 4,000 
4 b 5.000 2,000 
4 С -3,000 2,000 


Source: Ref. 41:p. 3E-19. 


Figure 5.1 Array of Controls vs Threats. 


By constructing a matrix such as shown in Figure 5.1, the threats and the 
controls which could affect one or more of them can be displayed. The threats should 
be arranged in order of the ALE attributable to them (highest to lowest). Each 
intersection in the matrix should contain three items of information: (a) the estimated 
ALE reduction, (b) the annual cost of the measure, and (c) the resultant annual saving. 
Great precision is not required in obtaining these figures. The annual cost of a measure 
is presented opposite the most serious threat which it affects; opposite any other threat 
which is affected only the increase in cost to cover that threat 1s noted. 

The cost-effectiveness of the previously identified existing controls should be 
evaluated as well. The existing controls should all be included in the matrix but only 
the annual maintenance costs need be considered, not the initial installation costs since 
those have already been expended. The cost of controls which are not used solely for 
the purpose of IS security should be prorated if possible. It is also the proper time to 
consider replacement costs. The replacement of equipment should be treated like any 
other remedial measure. The situation could arise that the cost of replacing equipment 


Is less, in some cases, than its protection. 


61 


Comparing all the controls which remedy the same threat (or lesser included 
threats) will indicate which one is the most cost effective in the given circumstances. In 
Figure 5.1, control A, costing $10,000, provides a $24,000 saving against threats |, 2, 
and 3 while control B, costing $17,000, provides a $25,000 summed saving against 
threats 1, 2, 3 and 4. The two controls combined, at a cost of $27,000, provide an ALE 
reduction of $49,000. However, the final comparison indicates that the $10,000 
expenditure for control A only produces an additional saving of $6,000 over that 
obtained by the $17,000 expenditure. In some cases, it may be determined that the 
additional reduction is necessary; in other less sensitive situations, the cost saving will 
be adopted instead. In addition, care should be exercised to insure that the controls 
chosen to counter certain threats do not increase the estimated frequency of other 
threats. 

With all of the ALE reduction and cost estimates arrayed, various combinations 
of controls can be considered tentatively until a satisfactory aggregation of security 
controls 1s achieved. The matrix will prove useful in explaining to top management why 
particular controls should be selected for testing and installation. [Ref. 41:pp. 3E-18 to 
3E-19] 


E. CONCLUSIONS 

The design phase results in the selection of a configuration of assets, threats, and 
controls. The selected controls represent the establishment of the security controls part 
of the IS security system. The following chapter will involve sufficiently implementing 
the selected controls. This implementation will establish the link between the two 


systems. 
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VI. THE IMPLEMENTATION PHASE 


To err is human; to really foul up requires a computer. [Bill Vaughan] 


The psychic task which a person can and must do for himself is not to feel secure 
but to be able to tolerate insecurity. [Erich Fromm] 


A. INTRODUCTION 

The operations phase will involve a process of security system installation, 
testing, and management. First, the selected controls that have been approved will need 
to be implemented during a period of installation. Such installation should be 
performed in an orderly planned manner with accompanying user and security staff 
awareness and training. Second, the controls which resulted from the design phase 
process will need to be tested. This testing is required to ensure that the entire control 
configuration as well as its individual control elements are functioning as required. 
Such testing should be performed on a continuous basis as new controls are added to 
the configuration over time. Finally, the management and components (tasks) parts of 
the security system will need to be established. These two parts will permit the proper 


operation and management of the security system. 


В. INSTALLATION OF CONTROLS 

After the selection of controls, the security staff must concentrate their efforts 
toward the installation of the selected controls within the IS. Like all projects, the 
security system development must compete with other organizational programs for 
recognition and resources. To ensure the greatest probability of success, the security 
manager should make the following preparations. 

First, the security manager should develop a prioritized list of requirements that 
need top management approval and/or funding. Such requirements should be based on 
the practical design analysis which was performed during the design phase. They should 
also reflect other organizational considerations, such as current cash position or market 
pressures, that might not have been fully reviewed in the analysis. Finally, it is 
important that the list should address not only the acquisition of security resources and 
services but the top management decisions that must be made to initiate or facilitate 


program implementation. 
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Second, it should be specifically indicated what 1s necessary for implementing the 
proposed program. The significant part of this process 1s the development of a realistic 
estimate of financial, personnel, and other resources needed to implement a given 
recommendation. These estimates were developed during the planning and design 
phases. However, circumstances may require revised estimates. 

Third, detailed technical specifications covering IS security controls that must be 
developed or procured should be produced. Such development and procurement should 
be performed in conjunction with technical personnel. Fourth, a comprehensive 
acceptance test plan should be developed in conjunction with the technical and 


management staffs. 


C. TESTING AND EVALUATION OF CONTROLS 
1. Test Planning 

The development of a test plan which defines the scope of the test must be 
considered first. The assumptions regarding how the system 1s supposed to operate; the 
effectiveness of security features; the reliability of personnel; and the actions of the user 
are to be challenged. The testing process should provide for the analysis of these areas. 
There may be some areas which do not require explicit testing. However, the practices 
and procedures used should be analyzed to ascertain the adequacy of protection and to 
identify potential problems. The testing process should encompass a detailed 
examination and attempted systematic subversion (singly and in combination) of the 
security controls and features of the system. It is understood that operating procedures 
will vary widely among different organizations. However, certain basic areas should be 

included in any test plan. [Ref. 27:pp. III-1-1 to III-1-2] 
are exploitable gaps in the physical security of the system, including the central 
computer facility and remote terminal areas. The security of the phvsical plant ; 
detecten and supnression. systems, and so” On и 
Special, attention should be paid to areas where the degrees of control and 


protection are not consistent and locations where resources are geographically 
removed from the central facility. 


e Physical Security. The major concern in this area is SLs ae ee there 
1 
р 


ө Personnel Security. Tests in this area should determine whether all personnel 
with access to IS resources have been properly screened and have. received 
security training. Also, the testing should review the adequacy of security 
training and of programs designed to ensure the loyalty and reliability of IS 
personnel. 


© Hardware and Software Security. The emphasis with. this area should be on 
testing the security features of the hardware and, software separately and in 
combination, and on determining the, ability of these features to prevent 
malicious exploitation of IS vulnerabilities. The plan of the test should involve 
hardware, systems software, and application programs to ensure that the 
СЕТІН ИЛЛЕ the documented specifications and that system integrity 15 
maintained. 
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е Communications Security. All communications hardware, software, circuitry, 
and installation procedures should be examined and tested to ensure that an 
adequate level of protection is maintained throughout the communications 
system. Specifically, this involves checking the security of front-end processors 
and/or communications controllers, hard-wired communications links, and the 
interface between the computer and the network as well as the proper 
functioning of cryptographic systems. 

е Procedural Security. The purpose of testing in this area should be to identify 
deficiencies in operationa асе and/or. their execution that could, be 
exploited for unauthorized disclosure or modification of data or the denial of 
service. Also, it, should be determined whether appropriate handling procedures 
and administrative controls are being enforced for the level of informátion being 
processed or Stored in the system. "Testing in this area may overlap, to somé 
degree, testing in other areas due to the integrated nature of most systems. 
Areas, that should be covered include procedural implementation | of 
organizational security plans; computer center operations; terminal operation 
procedures; system software and application program development procedures; 
and emergency procedures. 

2. The Test Team 

At the conclusion of test planning, the security manager should organize the 
test team. It is not likely that the security manager and the staff will possess all the 
necessary personnel, technical skills, and, therefore, other personnel should be made 
available to provide assistance. Guard force workers, for example, can be invaluable in 
evaluating physical access control, their own operations, and overall security of 
physical resources. 

Personnel or human resources department workers can aid in testing and 
evaluation preemployment screening, security training, and terminal practices. 
Communications personnel can test cryptographic systems, communication hardware, 
and communications facilities. Members of the programming/computer operations staff 
members can assist in developing and conducting technical tests of hardware and 
system and application software. Such personnel can also assist in evaluating technical 
test results and in formulating enhancements based on this testing. [Ref. 27:pp. III-1-2 
to 111-1-3] 

3. The Testing Process 

It is important that a detailed schedule and procedures for the actual testing 
should be developed. The tests should be conducted so as to cause as little disruptions 
of normal operations as possible. Generally, testing should not be performed when the 
system is utilized for software development or testing; during implementation of new 
hardware or software; or during critical processing cycles such as payroll or billing. 

a. Testing Tools 

There are a number of tools which could be used to perform the tests. Such 


tools can be specifically applied to each control. For example, a significant security 
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hardware device is an emergency power system. Tests of such a system should include a 
review of its inspection records to determine if inspections are being performed as 
required; and to conduct periodic tests through simulations of power outage 
conditions. The security database should be further expanded to include an inventory 
of appropriate tests for each control in the database. There may be multiple tests, as 
indicated, for each control. Therefore, each test should be specifically designated to 
distinguish it from other tests that could be applied to that control. [Ref. 27:p. III-C-2] 
b. Conducting the Tests 

There should be comprehensive recording of the testing process in the 
security database. The control tested; the testing tool(s) used to perform the tests; the 
test dates; and the results of the tests should be recorded. A standard test report should 
be designed to be used to report the results of all tests. [Ref. 27:p. III-1-3] 

4. Test Evaluations 

The evaluation of test results should only be performed after all testing is 
complete. Some tests may review a control for more than one protective quality or may 
require several steps. For example, a security guard force provides protection against 
unauthorized physical access. Also, it provides a means of visually detecting fire, 
internal flooding, and the like. Therefore, testing the performance of the force involves 
testing its training and procedures in all areas. 

In those areas suffering minor deficiencies, the security manager should review 
the deficiencies with the manager responsible for that area and attempt an on-the-spot 
correction. If the deficiency is corrected, no additional action is required. On the other 
hand, if deficiencies are extensive or particularly severe, or when corrective actions will 
require a substantial outlay of resources, then the results of the team will require 
review and evaluation by top management. 

a. Recommending Security Enhancements 

After the performances of tests and their recording on the database, the 
team should meet to decide on recommendations for corrective measures or 
enhancements for areas where test results have been unsatisfactory. The individual test 
results should be reviewed by the entire team. In some instances, security 
enhancements may resolve the inadequacy of multiple controls. For example, it may 
have been discovered that the names of departed personnel are still being carried on 
the computer-facility access records. The implementation of adequate check-out 


procedures for terminating employees will correct the deficiency. 
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When the team has completed its analysis and developed its 
recommendations, a copy of the findings should be forwarded to each manager 
concerned as well as to top management. Such reporting should be considered highly 
sensitive and confidential and should be stringently controlled. The database should be 
updated to reflect the current status of each deficiency discovered during testing. [Ref. 
27:p. III-1-4] There are two basic installation strategies that could be followed. The 
first 1s the pilot strategy. Such a strategy involves installing the controls on a selected 
segment of the IS. For example, it may prove advisable to install the controls 
application by application. This approach could prove time consuming but it could 
isolate the damages in case the new controls prove to be a problem. A second strategy 
involves a phased approach. For example, data entry or data processing controls could 
be installed in phases over a select period of time. This approach could prove effective 
if the data entry or data processing controls are considered highly complex and difficult 
to install. Therefore, it becomes more prudent to break down the installation of the 


controls in more manageable phases. [Ref. 33:p. 111] 


D. SYSTEM MANAGEMENT 
1. System Organization 

There are three issues which should be addressed regarding the organization of 
an IS security system. First, there 1s the issue of the appropriate system configuration. 
As indicated in Chapter III, the system can be configured in either a centralized or 
decentralized manner. The appropriate security system configuration is the one that 
corresponds to the manner in which IS resources and components are structured and 
deployed within the organization. In other words, if IS resources and components are 
centralized then IS security controls should be deployed to correspond with it. 

The second issue concerns the placement of the security manager’s position 
within the organization. It is of the utmost importance that the position be as 
independent as possible. The matter of independence becomes even more critical as the 
organization’s level of dependency and the value of its IS assets rise. It would seem 
that the best means of achieving such independence is to have the security manager 
accountable to the highest official in the organization (e.g., the chief executive officer, 
chairman of the board, director). Another approach is to have the security manager 
accountable to a governing body (e.g., board of directors, trustees) or a subdivision of 


such a body (e.g., audit committee, security committee). Also, such higher authorities 
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would be responsible for such items as approving the appointment of an individual to 
such a position, approving the IS security budget and annual security plan, approving 
the salary and performance appraisal of the security manager, and the approval of all 
testosesudts. 

The third issue involves the number of organizational units that are in a 
reporting relationship with the security manager and his staff. It is important that 
there be open established lines of communication between the security manager and 
the classification review committee; IS management; top management; users; and the 
internal audit staff. One means of achieving an effective working relationship between 
all the parties is to establish a permanent security committee. This committee would 
meet on a regular basis to discuss security 1ssues and to establish security policy. 

2. Security Planning 

Security planning involves several significant activities. First, both short range 
and long range planning should be performed. Short range planning is essentially 
operational in nature. That is, it is responsible for planning the implementation of the 
annual security plan. Second, long-range planning should be established. Such 
planning seeks to anticipate or project future threats and vulnerabilities to the IS. Both 
types of planning should be highly coordinated with IS planning activities. 

3. Security System Staffing 

There are several issues in regard to the staffing of the security system. First, 
security staff salaries, promotions, and performance evaluations should be determined 
by the security manager as much as possible with the approval of the highest levels of 
management. This 1s necessary to maintain the independence and objectivity of the IS 
security staff. Second, security staff personnel, even those who work within a 
decentralized security system configuration, should report directly to the organization’s 
IS security manager. Once again, this is to maintain the elements of objectivity and 
independence. Finally, due to the dynamics of IS technology, it is critical that the 
security staff be provided with appropriate IS security training. The staff should 
maintain a library of professional books and periodicals. 

4. Security System Monitoring and Evaluation 

The security staff is responsible for the monitoring, investigation, and 
reporting of the security system’s performance. This is accomplished in several major 
ways. First, the staff can attempt violations at different times and at different levels 


within the IS. The purpose of the violations is to determine if the system responds to 
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such violations in the required time and manner. Second, various kinds of scenarios 
and drills can be performed to train users and to test the installed controls. Examples 
include disaster recovery and fire drills. Third, selected user actions could be monitored 
and investigated to determine if such actions were within their authority. Examples of 
such actions would involve data update, transfer, and destruction, especially of data 
previously classified as extremely critical and extremely sensitive. 

5. Security Components (Tasks) 

A structure will need to be formed to perform the security tasks that were 
discussed in Chapter ПІ, Section C. These tasks involve avoidance, deterrence, 
prevention, detection, and recovery and correction. Depending on the scope of security 
responsibilities, separate departments (or divisions) could be formed for each task. For 
example, the security staff would have a separate department that is only responsible 
for various kinds of recovery and correction programs (e.g., contingency plans, off-site 
back-up, on-site back-up). If the scope of the security staff's responsibilities are more 
limited due, for example, to an organization being at a lower level of IS dependency, 
imjemesevecal of the tasks could be combined in one, department. For example, one 
. department could be responsible for recovery and correction as well as preventive 
programs (e.g., personnel screening, external labels, protect rings for magnetic tapes). 

6. The Security Database 

During the course of the planning, design, installation, and testing of the 
security system, various items of information were entered into what was defined as a 
security database. This information will serve as a basis for effectively managing and 
maintaining the security system. A description of the contents of the database 1s 
contained in Appendix L. 

It is important that the information contained within the database be updated, 
expanded, or reduced as circumstances within the organization and its environment 
changes. The database provides a means for recording and analyzing such changes and 
for planning appropriate responses. By doing so, it provides a valuable decision 
support tool that should be centrally maintained and controlled by the security staff. 

There are some significant changes which will affect the database which 
warrant a brief discussion. First, new laws may be passed which could require the 
installation of new controls on assets. Also, as an organization expands it operations, it 
may deploy facilities and people overseas and into different parts of the U. S. This 
could subject the organization to whatever security-related laws exist within these 


areas. 
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Second, changes can occur to the inventory of assets. If assets are added, then 
the process of classification, threat identification, impact analysis, vulnerability 
assessment, logical design, practical design, and implementation should take place. On 
the other hand, 1f assets are deleted from the inventory, the controls which are applied 
to protect them should be removed when considered necessary. 

Third, the classification program results may have to be changed. 
Circumstances may require either increasing or decreasing the classification levels of 
various applications, data, and transactions. Such changes could be caused by the 
growing significance or insignificance of an application, such as a customer service 
system, to the organizations operations. 

Fourth, the type and probability of various threats could change over time. As 
new assets are added to the organization's inventory, the events which posce threats to 
such assets should be determined and studied. The probabilities of the occurrences of 
these threats will change over time based on historical experiences and the results of 
various tests. 

Fifth, there will be changes to the results of impact analyses. Such changes 
are caused by changes in the costs of replacing and correcting the impacts caused by 
the threats. 

Sixth, an organization's state of vulnerability changes over time. This state 1s 
essentially an indication of the organization's level of protection over its assets at any 
given point in time. As the combination of assets, threats, and controls changes over 
time, so does the state of vulnerability. One measure of the performance of the security 
staff is how material the vulnerability state is at any given point and the length of time 
that such a state has existed. The materiality of the state could be measured by the 
number of vulnerabilities which pose the greatest threats to those applications, data, 
and transactions which were classified as extremely sensitive and extremely critical. The 
results of the various testings, monitorings, and audits provide additional information 
which would help determine the state of the IS vuinerability and provide a means to 


assess Its performance. 


E. CONCLUSIONS 
This phase resulted in the installation and testing of the controls which were 
selected during the design phase. Also, a structure, components (tasks), procedures, 


people, and information were combined to provide an overall management for the 
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developed security system. The system's management has two significant 
responsibilities. First, it 1s responsible for ensuring that the established security system 
is performing in an effective and efficient manner. Second, the security system 
management is responsible for ensuring that the system appropriately responds to both 


internal and environmental changes which affect it. 


А: 


VII. CONCLUSIONS 


This new development (automation) has unbounded possibilities for good and for 
evil. [Norbert Wiener] 


This thesis 1s ended the way it was started. That is, with a statement about the 
potentials for both the good and bad that could result from the unleashing of 
automation technology upon society. Just as the unleashing of the power that fuels the 
stars has had ever growing consequences upon the way man lives, so too has the 
unleashing of the physical and logical properties that can manipulate and communicate 
pulses of electricity. The good of automation technology has been present from the 
beginning of its infusion within the society. It has only been in recent years that the 
dangers and problems have been given greater attention. It is in response to these 
dangers and problems that IS security arises as an issue. It embodies two of the basic 
principles of our democratic society. That is, the need for appropriate checks and 
balances and that unlimited power could eventually lead to the limitation of human 
rights and freedoms. The infusion of automated technology has grown ever rapid and 
wider. This thesis offered a brief description of just how wide and rapid the applications 
of the technology have become throughout society and some of the dangers which 
have resulted. 

This thesis also offered a means of viewing computers in a much broader and 
more refined context than that usually offered. The approach offered involved 
addressing the subject of computers from the context of a "system". The conventional 
definition of a computer system narrowly defines it as consisting of hardware, software, 
people, data, and procedures. However, within the broader context of a “systems 
approach”, these items would only just represent the resources part. The remaining 
parts involve the objectives, environment, components (tasks), and the management. 
Within this framework, an “information system” is defined. The same approach was 
followed to construct a framework for a security system. 

As a means of constructing an IS security system within this framework, a three 
phased generic development model was presented. The planning phase of the model 


establishes security policy (objectives and priorities); determines the extent of security 
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requirements; identifies assets requiring protection; and classifyies the assets based on 
their level of criticalness and sensitivity. This classification forms the basis of the 
subsequent design of controls which will be applied to the assets to provide the 
necessary protection. This design of controls involves an initial identification of threats 
and their probable economic impacts to the assets. The current state of protection 
provided to the assets is subsequently assessed. A configuration of controls is 
constructed to remedy any established security weaknesses. The implementation phase 
provides the testing and installation of the controls which are needed to actually link 
the IS security system with the IS. A management structure is established to maintain 
and improve the developed security system. 

It is believed that the thesis offers a definitional framework and development 
model of sufficient substance so as to serve as a basis for the performance of security 
system developments within a broad range of organizations. The depth and scope 
within each phase will vary by its application to a wide range of organizational 
situations. However, the basic concepts of asset identification, definition, and 
classification; threat identification; impact analysis; vulnerability assessment; and the 
cost-benefits of controls should remain stable enough to provide a basis for the model’s 
change and continued use over time. An organization’s need for this model or any 
other security system development and management approach will be substantially 
increasing over time. The causes for this increasing need lie outside and within an 
organization. 

There is a rising public awareness and concern with the issues of IS security. The 
political institutions are responding more and more with laws which address these 
issues. For example, at the time of this writing, the Congress of the U. S. approved the 
Computer Fraud and Abuse Act of 1986. [Ref. 42:pp. 1 & 8] If signed by the President, 
as expected, the act will expand federal jurisdiction to cover interstate computer crimes 
in the private sector. The act would make it a federal misdemeanor to traffic in stolen 
passwords with intent to defraud or to intentionally trespass in a "federal-interest 
computer^ to observe or obtain data. It would be a felony to access such a computer 
for a theft-by-computer scheme or to alter or destroy computer data - if the victim 
suffers a loss of at least S1,000 or if the files are medical records - without 
authorization. Also passed by the Congress and awaiting the President's signature 15 
the Electronic Communications Privacy Act. This act would change and update the 


1968 Federal voice-oriented wiretap law to reflect dramatic changes in computer and 
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communications technologies, including the expansion of electronic mail and 
development of computer networking. It would make it illegal to access electronic 
messages without authorization. On an international scale, there are efforts underway 
to control transborder data flow (TBDF), or the transmissions of electronic 
information across national borders. The protection of the content of the information 
being transmitted is a major issue that is under discussion. [Ref. 43:p. 37] It is believed 
that this continued public awareness and regulation will be increasing the mandatory 
IS security responsibilities of organizations. This will require increased internal 
expenditures for IS security. 

Also, as organizations come to rely more and more on computer technology for 
basic operational needs as well as to support the achievement of strategic objectives, 
there are increasing pressures to protect their IS assets. This increasing reliance on 
computer technology is reflected in rising levels of dependency which was previously 
discussed. Both the external and internal pressures faced by organizations to provide 
adequate IS security makes it increasingly essential that they have an orderly, 
well-defined approach for developing, operating, and managing a system which can 


meet their security requirements. 


74 


APPENDIX A 


iS ASSETS 


FACILITIES. These include a data center's physical 
plant and its supporting devices and utilities. 


Physical Plant. Actual structure in which data proces- 
sing and communications are housed including auxiliary 
buildings such as PBX areas, generator buildings, 
cooling towers. 


Electrical Power Systems. Transformers, wiring, 
generators, power filters, uninterruptible power 
sources, emergency/backup power units. 


Environmental Support Systems. Air conditioning 
compressors, dehumidifiers, air-handling units, duct- 
work, water chilling units, thermostats, humidistats, 
plumbing, air intake equipment. 


Fire Detection and Suppression Systems. Smoke/heat 
detectors annunciator panels, alarms, Halon 1301/1211, 
CO2, water sprinkler systems. 


Intrusion Detection and Alarm Systems. Motion detec- 
tors, magnetic contact switches, vibration sensors, 
annunciator panels, alarms, closed-circuit television 
and videotape recording units, facility access control 
monitoring systems. 


Hardware. This includes all data processing and commun- 
ications hardware. 


Central Processing Unit. Main memory, cache memory, 
arithmetic logic unit, channels, operating console, 
system disk, associated peripheral processing units. 


Magnetic Storage Devices. Magnetic disks (including 
floppies), tape, drum. 


Local Input/Output Devices. Printers, card readers, 
MICR readers, local terminals, COM units. 


Communications Controllers. Auxiliary processors placed 


between CPU and transmission facilities to handle such 
functions as line management and code translation. 
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2.5 Modems. Devices translating Signals between 
input/output devices and communications lines. 


2.6 Terminal Concentrators. Devices that link multiple 
channels to allow use of common transmission channels. 


2.7 Digital Switches. Devices designed to create or break a 
physical communications circuit, generally within a 
network control center. 


2.8 Remote Input/Output Devices. All input/output devices 


on distal (outbound) side of model (e.g., remote 
terminals). 
2.9 Cryptographic Devices. Devices designed to encrypt or 


scramble voice or data transmissions, rendering them 
unintelligible if intercepted by unauthorized persons; a 
compatible device decrypts messages into intelligible 
form at receiving end. 


2.10 Multapiexcmss Devices that take a number of communi- 
cations channels and combine signals into one common 
channel for transmission; at receiving end, demultiplex- 
ог separates signals. 


2.11 Local Loop. Communications circuit between user loca- 
tion and telephone company central office. 


2.12 Terrestrial Microwave Circuits. All proprietary 
terrestrial microwave communications circuits and 
facilities maintained and operated by user for local or 
long haul communications. 


2.13 Satellite Circuits. Proprietary satellite communica- 
tions circuits and facilities, such as earth stations 
and antennas, operated by user for point-to-point satel- 
lite transmission. 


3.0 Software. This group of assets includes all systems and 
applications software and chips used by the mainframe 
and distributed processors. 


3.1 Operating Systems. Systems software (generally vendor 
supplied) that performs job control/scheduling, 
input/output control, interrupt, file maintenance, high- 
level language support (compilers/assemblers), memory 
allocation, logging of system activities (e.g., MVS, 
OS/MVT, GCOS). 


3.2 Data Base Management Systems. All software necessary to 


develop, use, maintain data base systems (e.g., IMS, 
IDMS, IMAGE). 
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Communications Control Software. Software contained in 
either host processor or a network frontend communica- 
tions controller that controls such functions as message 
switching, line monitoring/control, message parity/error 
checking, handshaking, line allocation. 


Security Software. Software designed to conduct extend- 
ed access checking beyond that performed by communica- 
tions software or operating system, to restrict access 
to protected resources, and to monitor line activity. 


Applications Software. All user-oriented software 
developed in high-level languages and running under 
supervision of operating system. 


Data. Data can be defined in three broad groups. 


Financial Data. Checking account balances, accounts 
payable/receivable, funds transfer balances. 


Proprietary Data. Sensitive business data (trade 
secrets), sensitive non-business data (personnel 
records, salary levels), restricted records (tax 


records, public assistance information, other records 
restricted by law or regulation). 


Personal Data. Personnel records (pay, performance), 
credit records; medical records, educational records, 
all records covered by state and federal privacy laws. 


People. There are seven groups of people. 


Computer Operator. Operates computer from console; 
alters job schedules/priorities, initiates program exe- 
вшетоп, responds Со system error messages, 


mounts/demounts magnetic media. 


Data Entry Clerk. Operates remote terminal; enters 
transactions, data, programs. 


Media Librarian. Files, retrieves, accounts for offline 
storage of data/programs on removable magnetic media; 
provides media to production control, cycles backup to 
remote facilities. 


System Programmer. Designs, develops, installs, docu- 
ments, maintains operating systems, DBMSs, communica- 
tions software, system accounting features, security 
software packages. 
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5.5 Application Programmer. Designs, develops, installs, 


documents, maintains user programs and application 
systems. 


IS Security Manager. Plans, implements, installs, oper- 
ates, maintains, and evaluates physical, operational, 
technical, procedural, personnel-related controls. 


IS Auditor. Performs operational, software, and data 
file reviews to determine adequacy, performance, 
security, compliance with organizational policy, proce- 
dures, standards; participates in design specification 
of applications to ensure adequacy of controls. 


SOURCE: Ref. 26: pp. II-3-1 to II-3-3. 
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APPENDIX B 


SENSITIVITY CEASSIPICAPLON LEVELS 


Sensitivity Level 
A BEREN DME Е 


Competitive Data 

The willful or inadvertent release 

or disclosure of this data could 

result in a competitor being given 

a significant business advantage 

over the organization. The effect 

of such disclosure on the bottom 

line could be: 

More than $10,000,000 X 
$1,000,000-$10,000,000 X 
$100,000-$1,000,000 X 
$10,000-$100,000 X 

Up to $10,000 X 
None X 


оно 
Hn won M 


Data with Fraud Potential 
Unauthorized modification of 
accounting or authorization data 
that controls the disbursement of 
funds could result in a fradulent 
disbursement of: 


5 = More than $10,000,000 Х 

4 = $1,000,000-$10,000,000 X 

3 = $100,000-$1,000,000 X 

2 = $10,000-$100,000 X 

1 = Up to $10,000 X 

О = None X 


Privacy Data 

Personal data directly traceable 

to an individual either is covered 
under federal, state, or local 
privacy legislation or is considered 
company private. This data consists 


of: 5 = Personal/Health/Credit Data X 
4 = Financial/Account Balance Data X 
3 = Salary/Performance Data X 
2 = Name/Address Data X 
1 = Other Х 
O = None X 
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Note: 


м шоо шр 


SOURCE: 


Extremely Sensitive 
Highly Sensitive 
Sensitive 

Moderately Sensitive 
Minimally Sensitive 
Nonsensitive 


Ref. 26: p. I-E-3. 
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APPENDIX C 


CRITICALNESS CLASSIFICATION LEVELS 


Srrcicalness 


The availability and accuracy of this 


data have the following effect on 
overall application operation: 


5 


4 


0 


System cannot operate without it. 


System would be seriously im- 
paired to the point where its 
usefulness would be 
questionable. 


System operation would be 
degraded; however, main 
functions would be useful or 
available. 


System would experience some 
impact; however, all functions 
would be usable or available 
with somewhat degraded response 
times. 


System would be minimally 
impacted by loss of this data; 
loss would occasion no opera- 
tional degradation 


NO impact. 


NOTE: 


Extremely Critical 
Ниса critical 
сетел са 
Moderately Critical 
Minimally Critical 
Nenerltical 


нячняо 
uH Ww W Wu H M 
uH HW m HW W I 
омол 


SOURCE: Ref. 26: р. І-Е-4. 
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Criticalness Level 
GHI Law Ki 


SENSITIVITY /CRITICALNESS MATRIX 


Competitive Data With 
Data Fraud Potential 
О Е E 
1 Е; E 
2 D D 
3 С С 
4 B B 
5 A A 


NOTE: 


Highly Sensitive 
Sensitive 


uH Hn W i 


Nonsensitive 


Highly Critical 
Cričťčical 


няжяантончыооор 


Noncritical 


APPENDIX D 


Extremely Sensitive 


Moderately Sensitive 
Minimally Sensitive 
Extremely Critical 


Moderately Critical 
Minimally Critical 


OPNWAUOPNWAL 


Privacy 
Data 


E 


E 


0-5 = Sensitivity/Criticalness Levels 


SOURCE: геси 


Ф 


Тее 
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Criticalmess 


APPENDIX E 


THREATS 


А.0 NATURAL THREATS 
A.1 Threat: Internal flooding 


Examples: 

* Water or steam pipes in walls or ceilings adjacent 
to the data center burst, causing flooding and/or 
corrosion from water and steam. 

* Water chiller pipes used for equipment cooling 
burst or leak, flooding and/or shorting electrical 
components. 

The sewer system serving adjacent lavatory facili- 
ties backs up, spilling water and sewage into the 
data center. 

A wet-pipe sprinkler head in the computer room mal- 
functions or is accidentally knocked loosed, dis- 
charging high-pressure water into the data center. 


A.2 Threat: External flooding 


Examples: 

* Runoff from rains accompanying hurricanes or other 
storms overloads storm drains, flooding below- 
ground-level data centers. 

Rooftop cooling towers for air conditioning on 
water storage tanks for fire suppression burst or 
leak, flooding floors beneath them. 

Coastal or lakefront areas are flooded by tsunami 
or tidal wave activity. 

Water buildup on flat roofs leaks into lower 
Лобос, 


A.3 Threat: External fire 


Examples: 

б“ Fire in another part of the facility housing the 
data center spreads to the equipment area or makes 
access to the data center impossible. 

Fire in the supporting utility area is carried by 
the air-handling system to the DP area. 
Fire in the building's electrical system, while not 
directly involving the data center, makes the data 
center inoperable through loss of power. 
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A.4 Threat: Internal fire 


oe 
Improperly installed wiring in wiring closets or 
under raised flooring starts a fire. 
Careless use or storage of combustible materials, 
such as paint, solvents, or cleaners, results in 
fire. 
Careless use of matches, lighters, or smoking 
materials ignites flammable materials--paper stock, 
plastics, апа oxide-based materials, such as 
magnetic tapes and disks. 


A.5 Threat: Seismic damage 


PX 
Even relatively small tremors cause head crashes or 
other vibrational damage. 

* Tremors cause structural failure, resulting in the 
collapse of walls, ceilings, and floors (even small 
tremors can do this to internal construction, such 
as raised floors and suspended ceilings, within the 
data center). 

Seismic vibration causes bursting of water pipes, 
damage to HVAC equipment, and disruption of elec- 
trical service. 


A.6 Threat: Wind damage 


гето 

Hurricanes ог tornadoes may cause structural 
failure of the facility, resulting in major damage 
to system components. 

In facilities with exterior windows, the sudden 
cyclonic low pressure associated with tornadoes 
shatters windows with explosive effect, causing 
severe injury to personnel and serious damage to 
equipment. 


A.7 Threat: Snow and/or ice storms 


Examples: 
Excessive snow accumulation on rooftops causes 
structural collapse. 
Ice accumulation on power supply causes cable 
failure, resulting in power outage. 
Impassable roads prevent essential personnel from 
reporting for normal work schedule. 
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peo ACCTID 
B.1 Threa 


Examp 


B.2 Threa 


Examp 


B.3 Threa 


Examp 


ENTAL THREATS: TECHNICAL 
t: Power failure/fluctuation 
les: 


Facilities without adequate power conditioning 
(filtering) experience equipment damage or destruc- 
tion of data as the result of spikes or surges 
caused by the introduction of large quantities of 
additional power, such as lightning strikes. 

The power utility experiences total failure. 
Facilities with inadequate uninterruptible power 
sources experience data loss during power reduc- 
tions (brownouts) by the utility. 

The internal distribution system (e.g., transform- 
er) fails, denying the facility electrical power. 


t: Heating, ventilating, air conditioning failure 


les: 

Environmental control systems malfunction, causing 
the temperature in equipment areas to exceed safe 
ranges for operation, resulting in erratic equip- 
ment performance, damage to equipment and data, for 
pare. 

Improper or inadequate preventive maintenance of 
HVAC equipment (e.g., failure to change filters or 
to recharge freon) causes erratic performance of 
equipment failure. 

HVAC systems have inadequate capacity to handle 
periodic extremes of temperature or humidity. 
System enhancements made without adequate consider- 
ation to existing HVAC capacity cause degradation 
of service or failure from system overload. 


t: Failure of communication circuits 


les: 

Circuits are physically destroyed ру natural 
disaster or vandalism. 

Excessive noise or crosstalk on telephone company 
lines garbles messages during transmission. 

Natural phenomena (e.g., sunspots) disrupt micro- 
wave and satellite communications. 

Excessive demand for existing circuits causes 
queuing and routing problems. 

Malfunction or failure of switching hardware at 
telephone company central office causes failure to 
establish switched circuit or misrouting of message 
ББӘШІІСЕ 


85 


B.4 Threat: Failure of communications hardware/firmware 


Examples: 
Failure of switching in a store-and-forward network 
results in lost message traffic. 
Failure of communications controllers, modems, 
cryptographic devices, or digital switches causes 
service denial. 


B.5 Threat: Failure of communications software 


Exon 
Software in a network front-end processor fails 
during authentication, data validation, error 


detection/correction, polling, or other activity, 
resulting in errors, lost or changed messages, or 
Service denial. 


B.6 Threat: Malfunction or failure of CPU, mass storage, or 
I/O devices 


ЕВ 
Malfunction оГ failure of system hardware 
components during input, processing, or output 
destroys critical data or denies service to system 


users. 
* Inadequately trained operators damage critical 

components. 

Improper/inadequate maintenance causes hardware 

failure. 


Hardware delivered by the vendor does not perform 
to specification or fails because of improper manu- 
facture or installation. 

Performance characteristics and reliability have 
been misrepresented by vendor. 


B.7 Threat: Malfunction or failure of systems software 


Exon 
Operating systems, data base management systems, 
and the like malfunction or fail, causing modifica- 
tion of data, lapse of system control, or service 
denial. 
Local system programmers improperly design enhance- 
ments to systems software. 
Vendor-released software changes are improperly 
installed and inadequately tested prior to 
operational use. 
Attempts by users to circumvent access control 
mechanisms cause operating system to crash. 
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B.8 Threat: Malfunction or failure of applications software 


Examples: 


B.9 Threa 


Examp 


ED Thr 


Examp 


Application packages inadequately tested prior to 
implementation allow logical errors ЕО Бе 
introduced to operational systems. 

Changes are made to applications without a concur- 
rent change to user documentation, run books, and 
job setup procedures, causing program errors. 

Poor logical design of software (because of inade- 
quate specification and program verification) 
results in program malfunction or failure. 


t: Electromagnetic interference (EMI) 
les: 


Radio transmitters and radar units (both ground and 
airborne) in the proximity of the facility inter- 
fere with operations. 

The introduction of televisions, CB radios, and 
other electronic equipment into the data center 
changes bit configurations in core. 

Static electricity from carpeting causes accidental 
erasure of data on magnetic media. 


eat: Electromagnetic emanations 


les: 

Conventional telephone instruments, lamps, radios, 
and other electrical devices act as transmitters 
and radiate electromagnetic signals. 

Improperly grounded equipment, electrical junction 
boxes, and cable troughs turn the entire building 
into an antenna for the transmission of signals. 


С.О ACCIDENTAL THREATS: HUMAN 


C.1 Threa 


Examp 


Е: Data entry error 

les: 

Careless data entry operators miskey data during 
input. 


Careless handling of source documents results in 
dual entry of the same transaction. 

Data entry operator fails to enter data from a 
source document. 

Entry errors cause processing errors, halts, or 
output errors. 
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C.2 Threat: Improper handling of sensitive data 


Examples: 


Source documents for sensitive transactions (e.g., 
check posting, authorization of payment vouchers) 
are inadequately safeguarded to prevent fraudulent 
modification or substitution prior” to” entry eine 
the system. 

Passwords/user IDs are not properly safeguarded: 
they are written on a terminal or desk blotter, 
passed to other users for convenience, and so on. 
Data control clerks do not require that all output 
be signed for by the user. 

Sensitive output or tapes are left unattended in 
offices, reception areas, or terminal rooms. 


C.3 Threat: Unauthorized physical access 


Examples: 


Laxity or lack of training on the part of data 
center personnel permits access to the facility by 
unauthorized personnel. 

Visitors are not properly escorted while in the 
facility. 

Maintenance personnel and vendor representatives 
who frequently visit the facility are allowed 
unescorted access (even though this is not 
authorized). 

Former employees retain or obtain possession of 
combinations, keys, magnetic access cards, and 
other means of access. 


С.4 Threat: Accidental damage to hardware, software, or 


data 


Examples: 


Inexperienced or careless operators clear memory 
locations without properly backing up data or 
programs. 

Operators attempt to fix abends on production 
shifts without calling software support personnel, 
damaging production programs or data. 

Inexperienced or improperly trained programmers use 
systems software "hooks" to enter supervisor state 
to apply quick fixes to software problems, damaging 
systems software or data. 
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D.O MALICIOUS THREATS 
D.1 Threat: Malicious damage/destruction of physical assets 


Examples: 
" Radical group destroys the data center fOr 
ideological reasons. 
Data center is vandalized. 
Disgruntled employee seeking vengeance destroys or 
sabotages system resources. 


D.2 Threat: Malicious damage/destruction of software or 
data 


Examples: 
. Software or data is damaged or destroyed as part of 
a planned assault on system resources or as random 
vandalism. 
Disgruntled employee erases data files and/or 
program files. 
System penetrators destroy data files. 


D.3 Threat: Unauthorized access to data/theft of data 


Examples: 

" System programmers, operators, auditors, managers, 
or other persons in sensitive positions circumvent 
access control procedures to obtain information for 
their own benefit or that of a third party. 
Penetrators successfully circumvent access control 
mechanisms and gain access to sensitive data files. 
Sensitive data transmittal in unencrypted form is 
monitored and its content made available to 
unauthorized persons. 

A program masquerades as the log-on subroutine and 
illicitly obtains passwords and user IDs. 
Programs mimic device identification of legitimate 


output devices (CRTs, printers, etc.), causing 
restricted data to be output to unauthorized 
devices. 


D.4 Threat: Unauthorized modification ОГ software ОЁ 
hardware 


Examples: 

A "trapdoor" program is inserted in systems soft- 
ware to bypass operating system controls and allow 
clandestine entry into supervisory mode while 
Simultaneously suppressing any record of mode 
entry. 

A "Trojan horse" code module is inserted in a 
critical application program то perform ап 
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D.5 Threa 


Ехашр 


SOURC 


unauthorized act (e.g., credit an account, disre- 
gard a debit entry, write a check) without appear- 
ing on the audit trail. 

Firmware security modules are covertly replaced 
with modules that negate firmware implementation of 
security controls. 


t: Fraudulent generation or modification of data 


les: 

Data is modified to cover evidence of poor perform- 
ance, incompetence, or prior illicit behavior. 
Sales figures are inflated to increase performance 
statistics. 

Inventory 15 understated for purposes of tax 
evasion. 

Assets are overstated for purposes of manipulating 
a loan application. 

Data is modified to conceal bribery of an official 
or other illegal activities. 

Fraudulent payments are generated. 


E: Ref. 26: рро ІЕ-2-1 Come. 
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Threats 


А.1 


APPENDIX F 


THREAT/ASSET MATRIX 


Assets 


ООШ 11:15, 21, 22, 2:3, 
2 СОЮ ОС 772.8, 2.9, 2.10, 2.11 


ШЕШ ЧОО de 1.5, 2.1, 2.1, 2.3, 
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SOURCE: 
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APPENDIX G 


ORDERS OF MAGNITUDE OF ESTIMATED IMPACT AND FREQUENCY 


IMPACT: 
STO. let a = 1 
$100, let 1 = 2 
ООО Е — 5 
$10,000, let i = 4 
$100,000, let 1 = 5 
$1,000,000, 1евш - 6 
$10,000,000, let i= 7 
$100,000,000, let i= 8 
FREQUENCY: 
Once in 300 years, let f = 1 
Once in 30 years, let f = 2 
Once in 3 years, let f = 3 
Once in 100 days, let f = 4 
Once in 10 days, let f = 5 
Once per day, let f = 6 
10 times per day, let f= 7 
100 times per day, let f = 8 


СИКСЕ REL. 43: p. 3E-7. 
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APPENDIX H 
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APPENDIX I 


SECURIT ARES OURCES (CONTROLS 


PHYSICAL SECURITY CONTROLS 


1. Electronic Access Control Systems (EACs) 

Install electronic systems to control and monitor physical 
access to all restricted areas within the data center. 
These systems generally consist of a small CPU containing 
access control tables, which journals and records access 
information, plus personal identification and authentication 
(PI&A) devices that identify users to the system. Among the 
PI&A technologies currently used as part of EACs are the 
following: 

1.1 .- Magnetic card/badge readers--These mediate access 
based on reading a magnetically encoded badge or 
card; often used in conjunction with electronic 
cipher pads and other PI&A technologies. Proce- 
dures for the control of cards and badges should be 
developed. 

1.2 ° Biometric devices--These devices measure certain 
physical characteristics of an individual; they 
include hand geometry readers, fingerprint 
analyzers. 

1.3 -* Voice Recognition Units--Digitized voice input is 
compared with stored digital voice signature data. 

1.4 >. Signature Analysis--Stored digitized handwriting 
sample is compared with signature obtained from 
user when entry is desired. 


2. Intrusion Detection Systems (IDSs) 
Use these devices to detect and monitor unauthorized entry 


into restricted areas. IDSs use several technologies that 
are suited to particular protection situations. 

2.1 -* Passive infrared--The presence of intruders is 
detected from the thermal radiation emitted by the 
human body. Use for surveillance of doors, 
windows, and enclosed areas. 

2.2 ° Active infrared--Infrared beam is projected across 


area to contact a light-sensitive cell; hidden 
mirrors allow the beam to crisscross the area. 


Movement is detected by a break in the beam. Use 
for surveillance of passage ways, other large 
areas. 

2.3 ° Ultrasonic systems--These flood an area with 


ultrasonic radiation and detect intruders from 


25 


changes in wave patterns. Use for large enclosed 


areas. 

2.4 "5 спе Systems--Sensors installed on walls, 
ceilings, floors detect any sounds in enclosed 
areas. Use where there is a minimum of extraneous 
noise. 

2.5 * Magnete contacts--Contact alarms form an 
ẹlectrical Circ urt: Breaking the circuit (as in 


opening a door or window) activates an alarm. Use 
on doors, windows, file cabinets. 

2.6 ° Vibration sensors--These detect vibrations caused 
by breaking glass or attempts to break through a 
wall, floor, or ceiling. 

2.7 ° Microwave systems--Similar to ultrasonic systems, 
these systems emit high-frequency radio waves that 
are transmitted by and partly reflected back to 
antenna. The frequency changes when the waves 
strike a moving object. 


3. Electromagnetic Interference (EMI) Prevention 
High-energy electromagnetic radiation, such as that given 
off by TV transmitters, microwave equipment, and high- 
powered UHF/VHF transmitters, may alter bit settings in core 
or change data stored on magnetic media. Precautions should 
be т to prevent damage from EMI by: 


S Locating equipment away from high-energy sources. 
3.1 .- Proper grounding of all equipment. 
3.3 ° Exclusion of radios, TVs, microwave ovens, and 


other non-DP-related electronic devices from 
equipment areas. 


4. Fire Detection and Alarm Systems 
All DP facilities should be equipped with adequate fire 
detection and alarm systems, as specified by National Fire 


Protection Association (NFPA) Standard 75[4]. Two basic 
technologies are used: 
4.1 ° Smoke detectors--Photocell or ionization-type 


devices should be installed in: 
--Equipment areas 
--Spaces above false ceilings 
--Areas beneath raised flooring 
--Таре libraries 
--Forms and supply storage areas 
--Office areas and passageways 
4.2 ° Heat detectors--Two types are generally used: 
rate-of-rise and temperature threshold. Rate-of- 
rise detectors should be installed in: 
--Areas beneath raised flooring 
--Electrical closets and in electricity-generating 
areas 
Temperature-threshold sensors should be used in: 
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--Tape libraries 
--Forms and supply storage areas 
--Office areas and passageways 


All detectors should be integrated with an alarm system that 
is visible as well as audible. Alarm annunciation should be 
both local and at a fire station or central fire/security 
control center. 


5. Fire Suppression Systems 
All facilities should have both automatic and manual fire 
suppression systems: 
* Automatic systems--These are activated automatical- 
ly as a result of detector activation: 

5.1 Water sprinkler--Provides continuous suppres- 
Sion as long as water source is available. 
Only dry-pipe systems, which are not charged 
with water until a heat/fire/smoke detector is 
activated, should be used. 

5.2 Halon 1301--One-shot systems with no 
continuous suppression after initial; elimi- 
nate danger of water damage. 

5.3  CO5--Not for use in areas where personnel are 


present. Effective for under-floor suppres- 
Sion or in areas with potential for electrical 
fires  (e.g., electrical closets, generator 
areas). 


5.4 Manual systems--Hand-held extinguishers of CO, 
оК Насс 301 Ог 121 


6. Emergency Power 

Equip the facility with battery- or automatic generator-. 

driven emergency power. System capacity should be suffi- 

cient to power the following minimum essential systems for 

48 hours: 
* Electrically activated door locks. 

- Fire detection and suppression systems. 

- Intrusion detection and alarm systems. 

° Intercoms and internal telephone systems. 


7. Emergency Lighting 

Equip facility with battery- or automatic generator-powered 
emergency lighting in the data center, passageways, and 
stairwells, and at all emergency exists. All units should 
begin immediate operation when power fails and allow 
sufficient time for an orderly evacuation of the facility. 


8. Facility Location 

The physical location of a facility, both geographically and 
within a larger structure, can have a major effect on its 
overall security. In locating DP facilities, consider the 
following factors: 
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Geographic 

--Out of floor plains, earthquake zones, landslide 
areas, hurricane or typhoon zones, and tornado- 
prone areas. 

--Away from high-crime areas. 

--Away from high levels of high-frequency microwave 
or radio transmissions (e.g., airports, microwave 
relay sites). 

--Far enough away from highways, railways, and 
heavy construction to avoid damage from vibration. 
--Away from flammable or explosive material storage 
areas. 

Location within a structure 

--Above ground level. 

--Below the top floor. 

--In the interior of the building away from 
exterior windows. 


9. Facility Construction 

Construct the DP facility in accordance with existing fire 
and occupational health and safety standards. Pay particu- 
1аг SEN, cin to ensuring tchat: 


The facility is constructed of fireproof material 
in accordance with the National Fire Code, NFPA 
7044 1. 

The facility is windowless, or existing windows are 
secured with steel screening or louvers, and all 
are alarmed. 

The facility has adequate emergency exits and 
egress Signalling in accordance with NFPA standards 
[4]. 

The facility uses architectural features such as 
man-traps and single access points to enhance 
overall security. 

The facility provides adequate space for proper 
equipment installation, cable troughs, ducting, and 
other adjuncts of data processing. 


10. Housekeeping Standards 
Maintain basic standards of housekeeping within the data 


center. 


Prohibit eating, drinking, and smoking in equipment 
and forms of storage areas. 

Keep the area under the raised flooring clean and 
free of dirt and trash. 

Empty trash receptacles regularly. 

All DP personnel should be held responsible for a 
clean working environment. 

Supervisors should periodically inspect areas for 
adequate housekeeping. 
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11. HVAC Systems 

Because heating/ventilating/air conditioning systems are 

crucial to the basic functioning of DP department, certain 

basic steps must be taken to ensure the uninterrupted 

functioning of these systems. These steps should include: 
Regular maintenance of all HVAC equipment. 
Multiple heat-pump/chiller units with sufficient 
capacity to provide backup in case of unit failure. 
Use of HVAC systems dedicated to DP operations--not 
supporting any other functions within the facility. 
Temperature/humidity alarms CO warn of 
environmental control problems. 


12. Closed Circuit Television (CCTV) 
CCTV used in conjunction with video tape recording (VTR) 
equipment is a powerful security monitoring tool and an 
песет уе deterrent. Useful CCTV for surveillance of: 
Unattended terminals and other sensitive equipment. 
Facility entranceways. 
Internal passageways and stairwells. 
° Supporting utilities (e.g., HVAC areas, telephone 
wiring closets). 
In multiplexed systems (using more than one camera per 
monitor), ensure that the camera-to-monitor ratio does not 
exceed five to one. If cameras are not constantly monitored 
by guard force personnel, they should be equipped with VTRs 
at a ratio of no more than five to one. 


13. Uninterruptible Power Supply (UPS) 
Provide an uninterruptible power supply of sufficient 
capacity to allow for graceful system shutdown in the event 
of power failure, through use of: 
A battery system that provides enough time to dump 
files and bring the system down. 
A combination battery/generator system, in which 
the battery provides sufficient backup until the 
cut-over to generator power can be accomplished. 


14.  Color-Coded Badge System 
Segregate the data center into various control zones based 


on sensitivity (e.g., tape library, DASD area) and issue 
color-coded badges identifying the areas to which personnel 
are authorized access. These badges can be used in lieu of 


in conjunction with an electronic access control system. 
Develop procedures for issuing, controlling, and retrieving 
the badges. 


15. Control of Chilled Water Supply 

Ensure that: 
Pumps used for chilled water distribution are in a 
physically secure area. 
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There is an alternative source of chilled water in 
the event that the primary source fails. 

Chilled water pipes are adequately insulated to 
prevent condensation build-up and leakage onto 
equipment. 


16. Secure Air Intake Ducts 

Ensure that unauthorized persons cannot enter the data 
center by crawling through air intake ducts, using alarmed 
tamperproof grates. 


17. Secure HVAC Equipment 
Install HVAC equipment in a physically secured location. 


18. Secure UPS and Motor Generator Equipment 
Ensure that UPS and motor generator equipment are in 
physically secured location. 


19. Secure Electrical Distribution Panel 
Ensure that the electrical distribution panel is in an area 
physically secure from access by unauthorized persons. 


20. Emergency Power Shut-Off 

Equip facility with an automatic power shut-off that will 
kill all electrical power to equipment upon activation of 
any smoke or heat detector in the facility. In additio 
install manual shut-down switches at all fire exits. 


21. Floor Lifters 
Provide floor lifters wherever hand-held fire extinguishers 
are placed. 


22. Hand-Held Extinguishers 

Mount hand-held extinguishers (preferably Halon 1211) 
strategically in the equipment area in accordance with NFPA 
standards [4]. 


23.  Fire-Resistant/Noncombustible Furnishings 

Ensure that all curtains, carpeting, furniture, raised 
flooring, false ceilings, insulating material, and so on are 
made of noncombustible materials or are treated with fire- 
retardant materials. 


24. Waterproof Covers 

Equip the computer room with waterproof equipment covers to 
prevent damage from flooding ог sprinkler discharge. 
Develop written procedures outlining the use of the covers 
and ensure that personnel are familiar with them. 


257 Water Detectors 


Install water detectors under raised flooring and around 
water chiller units and pipes. 
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26.  Under-Flood Drainage 

Provide adequate drains under raised flooring areas around 
water chiller units and pipes.  Regularly inspect drains to 
make sure they are open and free of trash. 


27. Watertight Ceilings 
Ensure that ceilings are sealed and watertight to prevent 
damage from water leaking from higher floors. 


28. Visitor Control 
Treat all personnel not requiring regular access to the 


facility as visitors. Visitor-control procedures should 

include: 

28.1 >- Issuance of a distinctive badge that identifies the 
wearer as a visitor. 

28.2 °> Requiring all visitors: to sign in and out of the 
facility on a visitor log. Logs should be checked 


at the end of each shift to ensure that all 
Visitors are accounted for. 

28.3 ° Requiring visitors to be escorted at all times 
while in the facility. 


29. Vendor Personnel Control 


Control access by vendor personnel, such аз customer 
engineers and maintenance technicians, by having them: 

29.1 - Undergo the same background screening as other 
personnel with access to the same facilities and 
systems. 

29.2 > Issued contractor badges. Replacement personnel 
sent by the vendor, however, should be treated as 
visitors until receipt of proper access 
authorization. 


30. Backup-Media Security 
Take adequate physical security measures to safeguard backup 
magnetic media (disks and tapes) during both transit to off- 
Site storage and storage at the remote site. These measures 
include: 
* Moving media to off-site storage in double-locked 
containers under dual control. 
" Written procedures covering the authorization of 
personnel to perform the transfer. 
* Continuous receipting at both the point of origin 
and the destination. 
Providing the same level of physical protection at 
the off-site location at the primary site. 


31. Destruction of Sensitive Output 

Provide adequate written procedures and equipment (e.g., 
degaussers, pulpers, paper shredders, incinerators) for the 
destruction of sensitive printouts, carbons, microfiche, and 
other human-readable media; and ensure that they are used. 
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32. Guard Force 

Use a guard force (whether organizational personnel or a 
professional group) to provide 24-hour-a-day control of 
entry and egress to the facility in which the data center is 
housed, the date center area, equipment areas, and other 
areas of especially high sensitivity (e.g., tape library, 
DASD area). 


33. Limit Entry/Egress Points 

Permit all entry and egress to the data center, equipment 
areas, and media library only through a single point 
controlled by an electronic access control system, locking 
devices, and/or guard surveillance. This can be accomplish- 
ed very efficiently by the use of a double door, with one 
door opening inward for entry, the other outward for egress. 


34. Media Library Procedures 
Establish a magnetic media library, and develop written 
procedures for library operation: a procedures manual for 
using any automated tape management system, a regular 
schedule of tape cleaning/maintenance, and procedures for 
movement of backup media to and from off-site storage (see 
also Countermeasure 30). A retention schedule for data 
stored on magnetic media, accountability for new media and 
the retirement of old media from active service, and an 
inventory of magnetic media should also be detailed. 
Although the size of the operation will determine the size, 
staffing, and organization of the library, certain minimum 
procedures should be followed in all cases: 
34.1 > Lock all data and program files ina fire-resistant 
room or container when not actually in use. Access 
should be limited to authorized personnel only. 


34.2 ° Develop sign-in/sign-out procedures to account for 
all media. 
34.3 * Have a media librarian present on all shifts. If 


only one librarian is employed or the function is 
performed by a member of the operations staff on a 
part-time basis, control access to media by dual 
custody of lock combination/keys. 


35. DP Security Training 
Establish a DP training program for all personnel, covering 
such areas as: 

* Organizational security policy--All employees 
should be aware of the organization's security 
policy and their responsibility to protect data and 
other resources from misuse, theft, or destruction. 

* Security operating procedures--Train employees in 
day-to-day procedures for handling sensitive 
data/programs, conducting security checks, and 
maintaining the security and integrity of systems 
and facilities. 
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Access control procedures--Delineate the types and 
levels of access to facilities and systems, access 
control systems in use, and escort policy and 
procedures. 

Security incident procedures--Discuss the handling 
of bomb threats, riots/disturbances, unauthorized 
personnel in controlled areas, and emergency 
reporting and response. 


36. Insurance 
Purchase insurance to lessen the financial impact of 
physical loss, computer fraud, and malpractice. Among the 
types ore coverage that should be considered are: 
Property Damage--Insurance can be obtained to cover 
the damage or destruction of facilities, systems, 


data, programs, and other tangible assets. Accep- 
table levels OF loss retention should be 
established. 


Fidelity Coverage--Most organizations can obtain 
fidelity coverage to indemnify them against 
fraudulent acts (including computer fraud) Бу 


employees. 
Business interruption--In addition to property 
damage, the coverage should be sufficient to 


indemnify the organization for loss of revenues 
resulting from damage to or destruction of DP 
resources. 

Third-Party Penetration--New coverage indemnifies 
the organization against the penetration and 
manipulation of DP or communications systems for 
fraudulent purposes by persons not employed by the 
organization. 

Errors and Omissions--Coverage is available that 
insures against loses caused by errors and omis- 
sions on the part of employees and contractors. 


37. Shock-Mounting Equipment 

In areas of seismic activity, install disk drives and other 
vibration-sensitive equipment on free-floating shock mounts 
to minimize the vibration damage. 


38. Balanced Circuits for Security Systems 

All electrically activated security systems should operate 
on a balanced circuit designed to detect a +10 percent 
change in line current, and thus prevent covert disablement 
of security systems by intruders. 


39. Emergency Action Training 

Establish an emergency action training program to ensure 
that all personnel are thoroughly familiar with their duties 
and responsibilities during emergencies. this training 
should be given to all employees within two weeks of 
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starting employment and refresher programs should be 
conducted on a regular basis. The training should include: 

Fire evacuation/suppression 

Bomb threats 

Natural disasters 

Terrorist activity 

Power outages/ failures 

Emergency first aid, including CPR. 


PERSONNEL SECURITY CONTROLS 


40. Data Classification Standards 
Develop data classification standards to determine which 
data processed or stored by automated systems requires addi- 
tional protection beyond that normally provided. The 
sensitivity or criticality of data should be examined in 
three areas during a formal evaluation process: 
Proprietary--Data that provides the organization 
with an advantage over competitors or whose disclo- 
sure might expose the organization to fraud. 
Privacy--Data that is covered by current or antici- 
pated privacy legislation or that should not be 
disclosed for legal or ethical reasons. 
Criticality--The importance of given data to the 
organization's operations (generally described as a 
function of how long the organization could afford 
to be without access to it). 
Levels of classification (e.g., internal use only, company 
secret) should be developed; the degree of protection 
afforded data and the level of access allowed should be a 
function of this classification. 


41.  Position-Sensitivity Levels 
Evaluate the sensitivity of DP positions within the organi- 
zation to determine the permissable level of access to 
sensitive data as well as the depth of background checking 
that must accompany the hiring of an individual. The sensi- 
tivity of DP positions can generally be thought of in the 
following hierarchy: 

Extremely sensitive 

--DP auditor 

--Security officer 

Highly sensitive 

--Computer operator 

--Data entry operator 

--Operations manager 

--System programmer 

Sensitive 

--Computer system engineer 

--Programming manager 

--Application programmer 
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--Tape librarian 

--Data administrator/data base manager 

--Customer engineer/maintenance engineer 
--Communications equipment maintenance technician 
Moderately sensitive 

--Physical security personnel 

--Peripheral equipment operators/maintenance 
technicians 

2 pAouvonectrol/dataccontrol clerks 


42. Background Checks 
Conduct background checks for all personnel in sensitive DP 
positions, basing the thoroughness of the check on the level 
of job sensitivity: 
- Level 1--Extremely/highly sensitive 
--Polygraph/psychological stress analysis (where 
legal; see also Countermeasures 51 and 52) 
--Background examination by investigative personnel 
--Credit check 
--Criminal record check 
--Education record check 
--Reference check 
* Level 2--Sensitive 
--Background examination by investigative personnel 
--Credit check 
--Criminal record check 
--Educational record check 
--Reference check 
'Level 3--Moderately sensitive 
--Credit check 
--Criminal record check 
-—-Reference check 


43. Security Briefing/Nondisclosure Statement 
Give all new personnel within the DP function a detailed 
Security briefing before they start work. This briefing 
should describe the security aspects of the organization's 
operations and delineate organizational security procedures, 
including reporting of security incidents and general and 
Specific security responsibilities. After briefing, all new 
employees should execute a nondisclosure statement 
certifying that: 
* They have been informed of and understand their 
security responsibilities. 
They understand the disciplinary and legal 
penalties associated with unauthorized use of 
resources or disclosure of data. 


44. Personnel Rotation 

Rotate personnel involved in sensitive duties. Not only 
does rotation broaden the individual's knowledge of the 
operation and provide highly desirable cross-training for 
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purposes of backup, it also helps deter the possibility of 
fraud based on collusion. In addition, it serves to prevent 
individuals from becoming locked-in to a particular position 
by providing professional challenge and job stimulation. 
Persons in boring and/or repetitive jobs (data entry and 
data control, for example) should be rotated to ensure that 
they do not feel or become stagnant and to enhance morale. 
Personnel left in the same tedious job for long periods may 
become disgruntled or careless, resulting in willful or 
inadvertent errors and omissions. 


45. Mandatory Leave of Absence 

Require all personnel in sensitive areas to take a stipu- 
lated leave of absence (at least two consecutive weeks) each 
year. This allows pending transactions to clear and helps 
to identify and isolate potential fraud. 


46. Proper Management and Supervision 
The success or failure of any security program can be traced 
to employee attitudes toward both security and the organiza- 


tion itself. There is a clear correlation between employee 
dissatisfaction and the incidence of employee carelessness, 
theft, fraud, or other misconduct. Management should 


therefore address a number of issues, including: 
Work environment--Make sure that work spaces and 


conditions reflect management's concern Bor 
employee well-being and productivity (see Counter- 
measure 10). Provide adequate lighting, in terms 


of the number and type of units, proper dispersal 
and placement, and prompt replacement of burned-out 


or defective units. Noise suppression should 
include  carpeting;  acoustical tiles, baffles, 
paneling, and equipment covers. Provide adequate 


ventilation and proper temperature and humidity 
(see Countermeasure 11) and effective fire detec- 
tion and suppression equipment (see Countermeasures 
4 and 5). Exits should be appropriately marked and 
easily accessible. 

Professional Growth--Challenge and growth are major 
motivating factors for DP professionals (as well as 
for other employees). Encourage employees to par- 
ticipate in professional organizations and to 
continue their education, through both external 
training and in-house professional development 
seminars. 

Performance Evaluations--Use frequent informal per- 
formance evaluations to give employees feedback on 
job performance and to offer them a chance to 
express their feelings about the working environ- 
ment and their own career progress. Evaluations 
can also uncover potential problem areas before 
they become serious. 


106 


- Personal incentives--Consider instituting security 


award programs to reward employees who report 
theft, fraud, or other unauthorized use or 
manipulation of DP resources; such programs can 
become part of the performance evaluation. 
Detection and deterrence--Organizations whose 
employees believe they are likely to be caught if 
they engage in unauthorized activities experience a 
significantly lower level of theft and fraud. The 
more severe the reaction of management and co- 
Workers, the lower the number of incidents (co- 
Worker sanctions are particularly effective). 
Grievance Procedures--Establish fair and equitable 
grievance procedures and administer them impartial- 
тү. Management at all levels should be attentive 
to grievances and act promptly on those that are 
justified. 

Awareness of personal problems--Be alert to major 
changes in the personal as well as work habits of 


subordinates. Such changes frequently signal an 
increased potential for fraud, misuse of resources, 
or disclosure of sensitive data. Changes in 


attendance patterns, evidence of alcohol and/or 
drug abuse, an inordinately high standard of living 
in relation to salary, severe indebtedness, and 
Similar changes may indicate serious personal prob- 
lems. Managers should investigate the causes of 
these problems and use all available organizational 
mechanisms to provide effective and timely 
assistance. 


47. Termination Procedures 
Upon notification to or by the employee of an intention to 
terminate employment, the supervisor should immediately: 

° Notify the DP security officer and the personnel 


department of the pending termination. 

Request cancellation of all passwords/user IDs to 
which the employee has access, and have the 
employee turn in all keys, documentation, manuals, 
and other organizational material in his or her 
possession. 

Relieve the employee of all responsibilities 
involving sensitive data or programs and provide 


nonsensitive work instead. If nonsensitive work is 
unavailable, the employee should be relieved of all 
duties. Further access by the employee to the 


premises should be as a visitor and controlled as 
such. 


The DP security officer should immediately: 


Ф 


Cancel all passwords/user IDs pertaining to the 
employee. 
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- Change cryptographic keys or authentication codes 
to which the employee has had access. 

* Brief the employee on his or her continuing legal 
responsibility to protect sensitive proprietary 
data after termination of employment. Have the 
employee execute a security termination/nondisclo- 
sure statement signifying his or her understanding 
of these responsibilities. 


48. Formal Position Description 

Develop formal position descriptions that incorporate levels 
of sensitivity and the need to restrict access to data and 
programs; describe the scope, content, and specific duties 
of each position. The descriptions provide personnel with a 
clear delineation of their duties; they also provide the 
organization with a standard against which individual 
performance can be measured. 


49. Separation of Duties 
Use the two-man principle by involving several people in the 
performance of sensitive duties. Such separation makes 
fraud more difficult by increasing the number of individuals 
who must be party to the fraud, and it provides an important 
error-checking and quality-control function. Separation of 
duties restricts the DP-related activities of the following 
groups of employees: 
* Programmers: 
--Programmers may not both specify and write a 
procedure. 
--Programmers may not write and test the same 
procedure. 
--Programmers may not develop and maintain the same 
procedure. 
--Programmers may not write a procedure and main- 
tain that procedure in the program library. 
--Programmers may not write a procedure and then 
execute it in a production mode. 
--Programmers may not control any transfers between 
programmer development libraries and production 
libraries. 
* Operators: 
--Operators may not make changes to application or 
system software. 
--Operators may not have access to source code or 
source listings. Access to all other documentation 
should be on a strict need-to-know basis as 
required for actual processing. 
--Operators may perform no balancing activities 
except those necessary for run-to-run controls. 
--Operators may execute only programs scheduled 
through the established proper procedures. 
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--Operators may not execute data or software-modi- 
fying system utilities (e.g., IBM's SUPERZAP) with- 
out proper authorization and dual control. 
--Operators may not execute programs from text 
libraries during production runs. 

--Operators may not override internal labels 
without supervisory approval. 

Users: 

--Data entry personnel may not prepare source 
documents for input. 

--Someone other than the input operator must verify 
all data input, unless programmatically verified. 
--The same person may not perform input and output 
duties. 

--The same person may not post and balance general 
ledger and other sensitive entries. 

--The person who prepared the original transaction 
may not prepare rejects or nonreads for reentry. 
--Master file and other sensitive transaction 
changes must be under dual control. 


50. Preemployment Suitability Testing 

Use preemployment suitability testing. These tests, which 
can be quickly and easily given to applicants, do not vio- 
late the legal prohibitions present in many states on the 
use of polygraphs or psychological stress analyzers in pre- 
employment screening (see Countermeasures 51 and 52). Field 
experience has shown that a high percentage of applicants 
who fail these tests have a history of theft, drug or 
alcohol abuse, or emotional instability. 


51. Psychological Stress Evaluation (PSE) 

PSE equipment measures the level of stress present in a sub- 
ject's voice. Measuring this stress level is said to enable 
determination of whether an applicant is answering questions 
truthfully in preemployment interviewing. Use of this tech- 
nique, however, has raised legal and ethical questions, and 
some states have outlawed such testing. 


52.  Polygraphic Examination 

Polygraphs measure the electrical conductivity of the skin. 
They have been used during the past 20 years to give some 
indication of the truthfulness of answers to questions posed 
during an interview. Serious questions have been raised 
regarding their accuracy, however, and many states have 
outlawed them for preemployment screening. 
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HARDWARE SECURITY CONTROLS 


53. Power Filters 

In installations that do not use conditional power, equip 
all DP hardware with power filters to prevent damage to 
hardware or data from power surges and spikes. 


54.  Minicomputer-Based Hardware Monitors 

Use minicomputer-based hardware monitors for the collection 
and analysis of large quantities of data in real time 
without placing excessive overhead on the operating system. 
Security personnel can thus constantly monitor and analyze 
system activity without degrading the speed and quality of 
processing. Use of an independent security monitor also 
makes the system far less vulnerable to subversion and 
unauthorized access, since would-be penetrator must avoid 
both the security safeguards of the mainframe and the 
surveillance of the external monitor. Illegal requests or 
those inconsistent with the terminal's authority, excessive 
log-on failures, and attempts to use deactivated but still 
resident software should be monitored and logged. 


55.  Hardware-Generated CPU Identification Code 

The system uses a hardware-generated code that identifies a 
particular CPU (especially useful in networks of multiple 
CPUs). 


56.  Program-Readable Clock 

This system uses a clock word in memory that can be read 
(but not written) by user programs; it is essential for 
logging, since it gives the capability of affixing a time 
stamp to a message or transaction. 


57. Ring Architecture 

In this form of system architecture, data and/or programs 
are organized into a fixed number of hierarchically ordered 
rings. The higher the number of the ring, the lower the 
level of privilege; ring zero is the highest level of 
privilege. User programs executing within a given ring are 
then granted access to segments in rings at their own or a 
lower level of privilege (i.e., a higher-numbered ring), 
protecting segments іп  lower-numbered rings. І11еда1 
instructions should cause an interrupt. 


58.  Capability-Based Architecture 

This architecture requires that each program maintain a 
table of absolute addresses of all segments it has the 
authority to access. A program is then said to have the 
capability of accessing these segments. When a program 
requests a segment, the executive checks its access privi- 
leges; if access is authorized, the program is given the 
access capability for that segment. 
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59. Prohibition of Unspecified Operation Codes 
The system recognizes all allowable operation codes; those 
unspecified are denied execution. 


60. Memory-Clearing Instructions 

An operating system function is used to overwrite with zeros 
all areas of core memory and/or mass storage used by a 
program, after program execution and before releasing 
storage for reuse. 


61. Segmentation 

This scheme, in which the architecture supports segmenta- 
tion, 1S similar to paging except that variable-length 
blocks of memory are used. Thus, a program can define 
logical blocks of memory (modules) to constitute segments. 
This decreases the frequency of Swapping, since once a 
module is brought into main memory, it usually remains there 
until it finishes execution and exits. Segment tables store 
the origin and length of each segment, permitting the 
sharing of segments between multiple users. These tables 
also control user access to shared resources. 


62. Paging 

Mass storage 1s subdivided by hardware/software into pages 
of equal size; these are then used as an extension of main 
memory. Memory mapping using resident tables and hardware 
registers is then performed to map the program's virtual 
memory space with its physical location, which will gener- 
ally be divided between main memory and mass storage. A 
page fault occurs when a program attempts to fetch or store 
data not resident in main memory. The page containing the 
desired virtual address is located and its contents swapped 
into main memory. 


63. Storage Locks and Keys 

The architecture uses bit masks to protect specific blocks 
of main memory, and the operating system places a lock at 
the beginning of each such block of storage. Each operating 
program (including the executive) has a key that is kept in 
a hardware register. Each program is authorized access only 
to those blocks whose locks match this key. The executive 
ls assigned a key of zero that accesses the locks of all 
other operating programs. 


64.  Memory-Bounds Registers 

Memory-bounds registers consist of a base-address register 
and an upper-limit register that are loaded by the operating 
system when a job is brought into main memory. Each memory 
reference by the job is checked to ensure that it neither 
exceeds the memory allocated to it nor intrudes on memory 
locations allocated to other jobs. There should be an 
attribute register for each bounds register. These 
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registers contain values that indicate the type and charac- 
teristics of the data being stored and protected; they allow 
implementation of more complex protection mechanisms (e.g., 
read only, write only) in the hardware. 


65. Firmware Implementation of Sensitive Functions 

Because of the recognized subvertability of software, 
certain critical functions (e.g., access control tables, 
sensitive operating system routines) can now be firmware 
based (burned into chips). Execution speeds сап be 
dramatically increased, and security is enhanced because of 
the difficulty of covert firmware modification. Physical 
access to firmware, nevertheless, should be limited and 
strictly controlled and monitored. Install locks and 
counters that show how many times the cabinet has been 
opened on all cabinets containing firmware. Regularly 
inspect all firmware components for signs of tampering. 


66. EMI Containment Procedures 
Use electromagnetic interference (EMI) containment proce- 
dures to minimize the possibility of compromising emanations 
being intercepted. These measures include: 
- Use of TEMPEST-approved equipment? 

Use of EMI shielding material to insulate the room 

or the equipment housing. 

Use of internal EMI suppressors on equipment. 


67. Physical Control Zone (PCZ) 

Establish a PCZ to control EMI and to prevent unauthorized 
personnel from entering it to monitor electronic emanations. 
The zone should be large enough so that, at its perimeter, 
the level of signal strength that can be acquired is less 
than 10 microvolts per square meter. 


SOFTWARE SECURITY CONTROLS 


68. Life Cycle Approach to Software Development 
Use of a life-cycle approach improves management's view of 
and control over the software development process. This 
methodology defines the various phases of software develop- 
ment, implementation, and enhancement, all of which affect 
the security of the system, dividing these phases into major 
milestones and activities. The major phases in the life 
Cycle of a software system are: 
Initiation and survey--The goals and benefits of 
the project are described and the actual need for 
the system determined. 


lTEMPEST refers to a government program involving the 
building of components that effectively contain emanations. 
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Functional requirements definition--Major user 
needs and processing requirements are defined. 
System architecture definition--Various alternative 
methods of addressing the functional requirements 
are identified and defined. 

User design--The external design of the system 


(i.e., how it will appear to the user) is defined, 
as are all processing and I/O requirements and the 
like. 


System design--High-level user requirements аге 
translated into specific system requirements, such 
as file structure, data base, I/O, data capture, 
security and control, and testing. 
Implementation--All designs and plans from the 
previous phases are translated into executable 
programs that perform in the test environment 
according to specification. The entire system is 
run through acceptance testing. The system is then 
installed as part of the production environment. 
Maintenance--The objective here is to ensure that 
each production application performs in an optimum 
manner as perceived by users, computer operations, 
and systems development. 


69. Software Development Methodology 

Formulate and publish a formal set of software development 

standards within the organization. This publication should 

take the form of a systems programming and standards manual 

applicable to all organizational elements. 

Use a structured methodology such as top-down development, 

which consists of the following phases: 

` Top-down design-~-Software should be designed so 

that it identifies first the major functions to be 
accomplished, then the lower functions derived from 
these. A tree structure is designed, containing 
these subfunctions with the highest level of 
control logic in the top segment and control 
passing to lower-level segments. This process 
continues for as many levels as required until all 
subfunctions are included in the structure. 
Top-down implementation--Implementation of the 
design produces a top-down hierarchy of subfunc- 
tions. No program component is generated until the 
component upon which it depends has been produced. 
Top-down  testing--The  highest-level segment is 
tested once it is coded; this segment then exits to 
the next-lower segment, which is also tested (if it 
has been coded). Since higher-level segments are 
used to exercise lower-level segments, careful 
design and planning will ensure that the most 
critical subfunctions are also the most tested. 
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70. Documentation 

Document systems adequately throughout their life cycle so 
that all system and program functions are recorded for use 
in subsequent design efforts and for support of system 


audits. Documents produced during the development or 
не of a system and/or program should include: 
Functional description--Prepared during the 


definition stage of the system life cycle, this 
offers a high-level definition of the functions to 
be provided by the operational system. Since the 
functional description is used by both technical 
and nontechnical personnel, it should contain a 
minimum of computerese. 

Data requirements document--This is a technical 
document prepared by both development and user 
personnel, providing as much detail as possible in 
the following areas: 

--Input required 

--Procedures for providing input to the system 
-=-Expected output 

--All uses of standard data elements 

--Data limitations of the system 

System/subsystem specification--This technical 
document is prepared during the design phase to 
guide system personnel during the development of 
large projects. It provides more detail concerning 
the system environment and design elements than 
does the functional description.  System/subsystem 
interfaces are also defined. 

Program specification--Used to guide program devel- 
opment during detailed design, this provides more 
detailed data requirements than either the 
functional description or the  system/subsystem 
Specification. The program specification is 
concerned with only the segments of the description 
and specification that can be applied to a 
particular program. 

Data base specifications--These documents are pre- 
pared for use when many analysts/programmers are 
involved in writing programs using the same data. 
The specifications must be detailed enough to allow 
program coding and data base generation by the 
development team. 

User manual--Directed to the system user group, the 
manual provides the following guidance: 

--General and/or specific information on a given 
computer system or program, oriented toward general 
management and staff personnel 

--Details on providing system input 

--Responses required to system requests 

--System output procedures and formats 
--Instructions for operating peripherals 
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* Computer operations manual--This is directed toward 
supervisory and control personnel, providing the 
detailed operating procedures necessary to 
initiate, run, and terminate the system. 

Program maintenance manual--This manual provides 
general and specific information about the computer 


program БОГ maintenance personnel, offering 
detailed technical presentations of computer 
programs. 


Test plan--This provides a mechanism for directing 

a comprehensive system testing program, enumerating 

test events, schedules, and materials. 

Test analysis report--This describes the 

methodology and results of system/program testing. 
Establish a master documentation library, with written 
procedures to ensure that all documentation contained in it 
is current. Control access to the library on a strict need- 
to-know basis. 


71. Software Quality Assurance 
Establish a formal software quality assurance group within 
the data processing organization. This group's charter 
should stipulate that it reviews all software and related 
documents for: 

" Accuracy, consistency, and readability 

* Conformance to security and control standards 

* Conformance to system and program specifications 

* Adequacy of documentation 

б“ JCL and other control errors that might create 

problems in a production environment 

All software products and related documentation should 
constitute a reliable and maintainable product. 


Conduct a software quality assurance review when: 
“ A major change is made to any production system 
* Any change is made to a critical or sensitive 
system 
* Any software product from a third-party vendor is 
delivered 
* А new system development effort is completed 
Ensure that all test kits (test programs designed to exer- 
cise specific application software systems) are maintained 
by quality assurance. Changes to these kits should be per- 
formed by quality assurance with input from the systems 
development staff. 


72. Configuration Management (CM) 

Use this technique to control the evolution of the modifica- 
tions to a system during its development. Technical and 
administrative direction and surveillance should be applied 
to identify and document the functional and physical charac- 
teristics of hardware and software. CM also controls 
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changes to these characteristics and records and reports 
change processing and implementation status, minimizing the 
possibility of unauthorized hardware Or software 
modifieatien- 


73. Verification and Validation (V&V) 

Use software V&V to ascertain that system requirements are 
accurately stated, that the software is being developed in 
accordance with the stated specifications, and that in oper- 
ation it satisfactorily performs the functions for which it 
was designed. 

* Verification--This substantiates that requirements, 

design, and code are complete and consistent with 
each other. It involves the review of all software 
life cycle to ensure that they conform to earlier 
documents and will ultimately conform То the 
requirements. 
Validation--This confirms the feasibility апа 
testability of requirements and the correctness of 
the design and code. It involves exercising and 
analyzing the software to ensure its performance 
according to specifications and to discover latent 
errors. Validation provides greater guarantees of 
a correct system by comparing expected results with 
actual system performance when the system is exten- 
Sively exercised. 


74. Chief Programmer Team Concept 

Use chief programmer teams to break a large system produc- 
tion group into smaller groups to minimize problems and 
errors. A programming team consists of a leader and usually 
fewer than eight members. The team is given complete 
responsibility for a portion of the system and is expected 
to produce well-implemented well-defined software for that 
portion. Keeping the group small minimizes problems, 
especially those of communication. 


75. Structured Walkthroughs 

Use this technique, in which the designer/author simulates 
the execution of the program/system segment in front of a 
peer group for their evaluation, to review the logic and 
functionality of system and program deSign prior to actual 
testing of code modules. Such reviews are informal and are 
usually completed within one or two hours. 


76. Program Librarian 

Use an operating system containing a program librarian to 
provide maintenance of software programs within the system. 
The library consists primarily of internal and external 
entities. The internal library is maintained ina disk file 
and contains the programs and job control statements that 
have been generated by the programming team. The external 
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library consists of program source listings, test results, 
and the like. The librarian function adds, deletes, and 
modifies library programs and maintains a record of library 
program accesses for use aS an audit and surveillance tool. 
In an automated environment, interface the library manage- 
ment system with access control software to provide data set 
protection for library accesses. 


77. Software Documentation Reviews 
A software documentation review is an audit and validation 
of developed software. Based mainly on the source listings 
and any available system documentation, the review and audit 
are directed primarily toward software development improve- 
ments. The process should increase confidence in the 
software and produce a more reliable and maintainable 
product. Software documentation review activities fall into 
the following four areas: 
Familiarization with and review of the code and 
applicable documentation 
Review of software construction and coding 
techniques 
Generation of a functional description based on 
derived functional requirements and knowledge of 
the software 
Analysis of the functional description and its 
relationship to the actual implementation. 


78. High~-Order Languages (HOLs) 
Use a high-order language that provides control structure 
and/or data structure features, allowing programming to Бе 


done at the abstract and machine-independent level. Such 
programming takes less time and produces more readable, 
auditable, and maintainable code than does assembly 


language. HOLs include FORTRAN, COBOL, ALGOL, PL/1, Pascal, 
CMS2, and Ada. 


79. Access Control Software 

Use access control software (e.g., RACF, ACF2, SECURE, SAC, 
TOP SECRET) for enhanced control of access to sensitive 
data. 


80. Internal Tape Labels 

Use a tape management system that assigns magnetically 
encoded labels and does not rely on external serial numbers 
on tape reels. This greatly reduces the possibility of 
inadvertently or willfully mounting and running unauthorized 
tapes or altering external labels. 


81. Data File Encryption 

Provide a high level of security to stored sensitive data by 
means of file encryption. In this process, data is 
encrypted prior to its storage on magnetic media. Theft of 


TIS 


the medium or unauthorized file access will yield only data 
in encrypted form. Authorized users, however, can decrypt 
the data at the time of file opening. Unlike link encryp- 
tion (see Countermeasure 114), file encryption is software 
rather than hardware based. If a system based on the data 
encryption standard (DES) 15 used, ensure that keys are 
stored in encrypted form and changed regularly. 


82. Automated Code Analysis 

Use automated code analysis to validate code in relation to 
its specification. This tool is also effective in reviewing 
and evaluating software construction and coding techniques 
with respect to accepted industry standards and practices. 
It can be used to facilitate certification of newly develop- 
ed security-related software and to provide fast and accur- 
ate auditing of existing programs to detect unauthorized 
code modification. 


83. Self-Metric Software 

Use a software routine that contains embedded code to meter 
the performance of specific activities, for example, the 
amount of main storage or other system resources accumulated 
by the routine's associated processes. 


84. Trace Program 

Using a trace program to aid in error detection. This diag- 
nostic tool is an operating system capability that provides 
a sequential record and analysis of each instruction execut- 
ed in a program. If files are created, they should be 
deleted after program execution. The trace programs should 
display the values of variables and program instructions; 
they should not change the value of any variable, instruc- 
tion, or data, nor should they alter the course of execu- 
tion. In some cases, the use of trace programs might itself 
be considered a threat, and adequate controls protective 
must be placed on all sensitive files that might be accessed 
by the trace program(s). 


85. Time-Out Feature 

Ensure that the operating system provides the timing 
services required to support a secure operational environ- 
ment. Both time-of-day clock and CPU (interval) timer 
facilities should be supported. Task management should use 
timer services to control and limit CPU use through 
scheduling algorithms. Inactive processes, or terminals (in 
an interactive environment) should be terminated after a 
predetermined period. 


86. Threat Monitoring 

Ensure that the operating system provides threat-monitoring 
information. The system should record data on the following 
events as often as the user desires: 
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Unauthorized attempts to enter the system 

All attempts (authorized or unauthorized) to access 

protected resources 

All attempts to issue restricted commands 

All attempts to modify profiles on restricted data 
The system should route messages to the security console, 
and each incident should be recorded on the security 
log/audit trail. 


87. Security Auditing and Accounting 
The system security auditing and accounting capability 
should, as a minimum: 

° Record all unsuccessful log-on attempts to the 


system 
Record all attempts to enter supervisor mode 
Record all attempts CO access restricted 


schemas/subschemas 

Record all trapped requests requiring extended 
access authorization 

Log all system transactions, including jobs on/off, 
with user/terminal/program ID and the date time 
group (DTG) 

Log data/files requested and/or accessed, including 
access keys and the number and types of access 

Log the disposition of data, including number of 
records input/output/displayed and terminals or 
logical devices to which data is output. 

Log crashes, machine failures, and restarts 

Log program aborts 

Log changes to security access tables 

Log program library updates 

Log all descriptor changes. 


88. Security Labeling 

Ensure that the system labels all input/output with security 
and/or sensitivity labels and checks routing indicators 
before data output. Data objects should be labeled with 
security information, and the operating system should check 
all labels before processing. 


89. Extended Access Checking 

Ensure that the system has the capability for an extended 
method of access authorization such as an extended handshake 
Or question and answer (see Countermeasure 117) to restrict 
access to data or processes. The software that controls the 
handshaking must require proper data and must log all access 
attempts. 


90. Operating System Identification of Terminals 

All terminal activity should be controlled by the operating 
system, which should be able to identify terminals, whether 
they are hardwired or connected through communications 
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lines. A chart should be created for use in identifying and 
locating terminals according to their IDs. 

The operating system should inspect log-on requests to 
determine which application the terminal user desires. Тһе 
user should identify an existing application and supply a 
valid user ID and password combination (see Countermeasure 
119). If the log-on request is valid, the operating system 
should make a logical connection between the user and the 
application. 


91. Operating System Control of Data Transfer 

Maintain positive control of all data transfers between 
files and logical devices through the operating system. 
Performing error and parity checking on each fetch and 
transfer cycle prevents the injection of malicious or 
inadvertent errors into the system during data transfer. 


92. Operating System Control of Resource Allocation 

The operating system dispatcher should control processor 
allocation, using a priority queue determined by the users 
and the installation's established policy. As each task is 
dispatched, a control register should be loaded with the 
address of the task's unique address translation table. The 
control register should not be accessible by the user 
program, and the tables should be retained in storage areas 
that are not among the user program's read/write/execute 
capabilities. 


93. Operating System Control of Maintenance Software 

The operating system should permit access/execution of 
utility software only in the system state or privileged 
mode. This feature protects against covert modification of 
software. Special care should take in the control of utili- 
ties such as SUPERZAP, with all accesses and/or uses logged 
and reported. 


94. Operating System Control of Executive Mode 
Access/Execution 

The operating system should have the capability to create 

two modes or states for processor operation: supervisor and 

user states, which operate in privileged and unprivileged 


modes, respectively. Certain processor instructions are 
designated privileged and can be executed only when the 
processor iS operating in the privileged state. Privileged 


instructions, for example, are those that: 

Perform input/output 

Control the interrupt mechanism 

Set base and bounds registers or locks and keys 
User programs execute with the processor in unprivileged 
mode, and any attempt to execute a privileged instruction is 
trapped by the processor. 
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95. Operating System Erasure/Purge of Residual Data 

The operating system should have the capability (by over- 
write, dump restore, or the like) to erase or purge residual 
data. This should be performed on all main memory locations 
and peripheral storage after completion of classified or 
sensitive processing and before reallocation of system 
resources to another user. 


96. Virtual Machine Monitor (VMM) 

The VMM, the central control program in a virtual machine 
system, supports an extended machine on which user programs 
can be run. Since the VMM can support programs that use the 
full capability of a computer system, it can support 
complete operating systems in the same way that operating 
systems support user programs. Therefore, it is possible to 
run two incompatible operating systems on a single computer 
at the same time or to run one operating system in produc- 
tion mode while system programmers simultaneously modify 
another active copy of that operating system. The VMM 
effectively operates as an isolation mechanism. 


97. Job Management 
The principal job management functions of the operating 
system should be provided by a job entry subsystem, through 
which all jobs, started tasks, and time-sharing log-on 
requests should enter the system. The job management func- 
tion таза the following basic tasks: 
Reading jobs into the system 

* Scheduling jobs for execution 

* Maintaining all data submitted with jobs 

* Supporting the system management facilities 

* Handling output from jobs and time-sharing users 


98. Job Scheduling 

The operating system should provide job scheduling functions 
consistent with a secure processing environment. Input an 
output data streams should be handled in a manner that 
restricts access to the associated job through the use of 
dynamically allocated spool space (see Countermeasure 99). 


99. Job Spooling 

The operating system should provide the spooling function 
for input and output data streams. It should follow naming 
conventions for spooled data sets that guarantee restricted 
access (e.g., input data sets can be accessed only b the job 
that created them). Similarly, spooled output should auto- 
matically be associated with the creating job. 


100. Interrupt Handlers 

Operating system interrupt-handling programs should support 
hardware features that supplement the security feature of 
the task management functions. In addition to detecting 
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external signals for service and normal completion of I/O 
requests, the interrupt mechanism should recognize the 
following potential security violations: 
Attempts to execute undefined instruction code 
Attempts by programs executing in user (unprivi- 
leged) mode to execute privileged instructions 
Attempts to reference unallocated storage addresses 
Attempts to exceed current capabilities when refer- 
encing allocated storage (e.g., attempts to write 
in read-only areas) 
Attempts to reference main storage allocated to 
other user jobs or any of the various operating 
system functions 
Attempts to issue invalid commands to storage 
devices 
After the attempted operation has been aborted by the hard- 
ware, the interrupt handler should routinely terminate the 
user program. 


101. Recovery Management 

Recovery management facilities should handle error proces- 

Sing for both hardware and software failures, so that system 

пес UN) can continue with minimal downtime. 
Software failure recovery--The recovery facility 
should monitor the flow of software recovery 
processing by handling all abnormal terminations of 
tasks and address spaces and passing control to 
recovery routines associated with the terminating 
functions. 
Hardware failure  recovery--The operating system 
should have the capability to gather information 
about hardware reliability and allow the user to 
retry operations that failed because of processor, 
I/O device, or channel errors. This feature should 
be designed to keep the system operational in the 
event of hardware failures. 


102. Indirect Addressing 

All addresses passed between the system and the user should 
be logical in nature rather than real, protecting memory 
address locations of classified or sensitive data. 


103. Paging 

The paging supervision routines of the operating system 
should be responsible for transferring individual page con- 
tents and swapping complete user page sets between main and 
secondary storage. Tables that provide a directory to the 
contents of each available page on the direct-access data 
sets should be accessible only by executive-mode routines. 
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104. Data Base Access Controls 

Data base access controls should be provided at the user, 
data, and process levels. Loggings of all accesses and 
attempted accesses should be available, and the DBMS should 
provide concurrent access controls and deadlock resolution. 


105. Data Dictionary Controls 
Certain data dictionary features enhance security in the 
data base; these features include: 

- Level of  integration--A highly integrated data 
dictionary requires greater security measures. 
Develop procedures to prevent misuse of the addi- 
tional capabilities integration offers. 

* Access control--The data dictionary should have 
access controls to prevent any unauthorized use or 
modification. 

* Backup--Establish procedures for keeping a current 
certified copy of the data dictionary. 

* Certification/verifiability--Establish procedures 
for certification and verification of backup as 
well as production copies of the data dictionary. 

* Program registration--The data dictionary should 
have a program registration capability to prevent 
unauthorized access or use. 


106. Data Base Recovery 
Provide the capability for rapid and efficient data base 
recovery, including: 

* Backup--Utilities, programs, and procedures should 
be available to provide backup for the data base. 

* Up-to-date copies--Current copies of all essential 
program files and the like should be kept available 
and secure. 

* Documentation--Recovery and backup procedure docu- 
mentation should be kept current. 

* Levels oof recovery--Provisions for selective 
recovery and definitions of acceptable degradation 
of service should be specified. 


107. Data Base Maintenance 
Adequate facilities and procedures for data base maintenance 
are essential for data base security. These include: 

* Vendor  interface--Vendor maintenance procedures 
should be established to ensure that security is 
not compromised. 

* Ease of maintenance--Easy-to-maintain modules and 
well-defined software maintenance procedures are 
essential: lack of proper maintenance can cause 
security breaches. 

- Maintenance responsibility--Clearly define mainte- 
nance responsibility and specify procedures for 
certification and verification. 
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Evaluation/certification--Establish requirements 
for the evaluation and certification of the DBMS, 
and keep a certified audit copy as backup. Docu- 
mentation relating to the DBMS should be kept 
current with the operational version. 


COMMUNICATIONS SECURITY CONTROLS 


108. Limitation of Log-on Attempts 

Limit system log-on attempts from remote terminal devices. 
More than two unsuccessful attempts should result in 
termination of the session, generation of an audit entry 
and/or operator message, and purging of the input queue of 
messages from that terminal. 


109. Passwords 

Use passwords that require the user to enter a string of 
characters that are checked by the system against a system- 
resident password file. Access is granted or denied 
accordingly. Current password schemes include: 

* Simple or fixed passwords--In this scheme, the user 
selects a fixed-length character string and stores 
it in the file prior to ue This system is 
inexpensive, it uses an easy-to-remember password, 
and it remains valid until changed by the user. 
However, user-generated passwords are frequently 
obvious (e.g., user's name, spouse's name) and are 
thus easily penetrated. 

Changeable (one-time) passwords--This scheme 
increases the integrity of a simple password by 
providing the user with a given list of passwords. 
The same list is stored in the computer in encrypt- 


ed form. The user selects the first password on 
the list, which matches the first password stored 
on the system-resident table. The user then 


crosses that password off the list. Similarly, the 
system will not honor that password for subsequent 
requests, whether or not the user is authorized. 
Changeable passwords can also be used to authenti- 
cate the computer's log-off acknowledgement as well 
as the user's logoff request. 

Random passwords--In this technique, the user is 
supplied with a pseudo-random number at log-on, and 
transforms it algebraically, using a transform 
previously provided by the system. The system per- 
forms the same transformation instantly and 
compares the answers. Although a hostile 
individual may intercept the argument of the 
function or the answer transmitted to the computer, 
he or she does not know the nature of the transfor- 
mation and its thus denied acecsseee = enema, sce 
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* Functional passwords--Multilevel protection codes 
stored within each user's password determine the 
user's level of access to specified processor func- 
tions and data sets. 


110. Terminal Password Suppression 

Use a nonprinting, password-suppression feature on all 
terminals to prevent the display of a user ID or password at 
oG on. 


111. Process Lockout 

Develop controls to restrict critical transactions to 
specific time periods such as normal working hours and 
prohibit their generation at any other time. Terminals used 
to process restricted transactions and critical files can be 
locked out physically and/or through system software 
controls (see also Countermeasures 85 and 116). 


112. Control of Dial-up Mode 

Use the following controls for dial-up networks: 
Maintain the confidentiality of dial-up telephone 
numbers and change them at regular intervals. 
Use automatic dial-back for caller authentication. 


113. Restricted Dial-up Access 

Restrict access of dial-up terminals to particular port(s) 
or front-end communications processors by equipping dial-up 
terminals with an identification chip that will generate a 
hardware identifier signal. This signal allows the communi- 
cations processor to recognize the terminal as a dial-up and 
to route its messages to the designated port or processor 
(See also Countermeasure 124). 


114. Communications Link Encryption 

Use cryptographic devices to encrypt sensitive data trans- 
missions. At the receiving end, a compatible device 
decrypts the communication. Monitoring encrypted communi- 
cations thus yields an interloper only unintelligible text. 
Encryption also provides an additional source of message 
error checking, since any error occurring during trans- 
mission results in a change in the bit structure, causing 
the message to fail decryption. 


115. Security Network Front Ends (NFE) 

Using a minicomputer as an NFE provides surveillance and 
auditability between nodes in a network as well as protec- 
tion between terminals and host processors at the nodes. 
The NFE can perform the same type of monitoring functions at 
the network level as those that are performed by the hard- 
ward monitor at the system level (e.g., transaction logging, 
access validation, surveillance, audit trail). This 
monitoring can provide a real-time profile of network use 
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and performance, permitting identification and isolation of 
problems before a serious compromise occurs. The NFE 
operates mostly logically, either as a component of the net- 
work control/management system or co-located with it in the 
network control center. 


116. Hardware Terminal Locking 

In areas that are not physically secured, equip terminals 
with locking devices to prevent their use during unattended 
periods. The locks should be installed in addition to pro- 
grammed restrictions, such as automatic disconnect after a 
given period of inactivity (see also Countermeasures 85 and 
naris 


117. Dialogue Techniques 
These are challenge/response techniques between the user and 
the system, such as: 

'* Extended  handshake--To gain admittance to the 

system, the user must first satisfy a sequential 
decision procedure based on user-specific input 
parameters  (e.g., user ІП, password). This 
mechanism can restrict a terminal or user to 
certain physical locations, time periods, data 
sets, functions, or other attributes. 
Question and answer--This technique is based on 
system-resident tables of standard апа user- 
supplied questions and answers. When a user 
attempts to log-on, some or all of these questions, 
chosen at random, are asked by the operating 
system. The user must answer all the questions 
correctly in order to be granted access. 


118. Fiber Optic Cable 

Use fiber optic cable to prevent physical wiretapping. 
Because fiber optics use light as the transmission medium, 
any break in the integrity of the cable (such as that 
created by a wiretap) will destroy the cable's conductivity, 
rendering monitoring impossible. 


119. Shielded Cable 

Use cable (e.g., coaxial cable) shielded to prevent electro- 
magnetic radiation and designed so that any attempt to tap 
will result in destruction of the circuit and/or activation 
of alarm sensors. 


120. Message Authentication Standard 

Use the ANSIX9.E8 Message Authentication Standard[6} to 
authenticate messages, detect attempts at message modifica- 
tion, and increase the effectiveness of communications error 
checking. 
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121. Error Checking 

Use polynomial error checking to detect errors in message 
blocks. This method uses a mathematical algorithm to check 
the structure and composition of bits transmitted against 
bits received: All the one bits in a message block are 
counted and divided by a prime number. The remainder (of 
this division) is transmitted with the message; the receiver 
performs the same calculation and matches the remainders. 
If the remainders match, the message has been received as 
sent. Attempts to tamper with the message as well as acci- 
dental changes caused by line noise and other nonmalicious 
factors can be detected. 

All errors should generate an error message at the receiving 
end; each message should be accompanied by a description of 
corrective action to be taken by the operator. An 
explanation of all error messages should be contained in a 
user manual to be available at the network control center 
(NCC). 


122. Message Parity Checking 

Use both vertical and horizontal parity checking on all 
incoming messages. This is particularly important in asyn- 
chronous communications (e.g., TTY), since no time base 
common to sender and receiver is present (as it is in syn- 
chronous transmission). An 8th bit is added to the 7-bit 
ASCII coding structure. This bit, based solely on the value 
of the other 7 bits, is used to detect any change in the 
message during transmission. The technique is extremely 
useful in detecting both inadvertent and malicious changes 
in message content and structure. 


123. Physical Security of Communications Appearances 
Provide adequate physical security for all communications 


appearances (e.g., telephone cable rooms, cable runs) where 
physical wiretapping is possible. Measures to be taken 
include: 


* Enclosure of all communications appearances іп 
areas that can be locked and physically secured. 

* Installation of cipher locks or magnetic key card 
devices on doors leading to wiring rooms or 
closets. 

Installation of magnetic contact alarms and motion 
detectors in areas that are not subject to 24-hour 
human surveillance. 
Provide all modems, multiplexors, and patch panels with ade- 
quate physical security, including: 
Limitation of access to authorized personnel only 
Placement of modems, multiplexors, and other equip- 
ment in areas such as the network control center 
where they can be under 20-hour surveillance 
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“Іп remote equipment areas, CCTV coverage and 
installation of electronic intrusion detection 
systems 

See also Countermeasures 1, 2, and 12. 


124. Hardware Terminal Identifier 

Fit all terminals using dedicated lines with a hardware 
identifier chip that so identifies the terminal to the sys- 
tem. This will allow controls to be developed to restrict 
access by user function and data as well as message origin 
(see also Countermeasure 113). 


125. ACK/NAK 


Use ACK/NAK for all messages. These characters indicate 
that the previous transmission was successfully received 
(АСК). If no previous message has been received, whether 


lost in transmission or simply not sent, the characters 
indicate a negative acknowledgement (NAK)> 


126. Safe Storage of Messages 

Safe-store all incoming/outgoing message traffic to protect 
against power or equipment failure or power surges or 
spikes. 


127. Dynamic Polling Reconfiguration 

Use dynamic reconfiguration of polling lists to restrict 
access by certain terminals during certain periods (see also 
Countermeasures 85, 111, and 116). 


128. Automatic Answering/Automatic Outdialing 

Use programmable front ends, concentrators, or modems for 
automatic call handling to increase efficiency апа 
throughput: 


129.  Pseudo-Duplex/Full-Duplex Operation 

Use a pseudo-duplex (which appears like a four-wire circuit) 
or a two-wire multiplexed circuit to maintain continuous 
carrier wave and increase transmission efficiency and 
reliability. 


130. Line Backup 

Have an automatic or manual dial-up line capability as 
backup for dedicated lines. Such facilities should allow 
outdialing only. 


131. Modems with Automatic Equalization 

Use modems with automatic equalization and balancing to 
compensate for line distortion, thus reducing line error and 
decreasing the need for conditioned lines. 


128 


132. Network Controllers/Network Management Systems 
Eliminate the need for remote site test personnel by using 
automated remote monitoring systems that provide a central 
operator with all pertinent network status information. 
These systems, which can supervise large multiple-point and 
distributed processing networks, are designed around a 
master controller at the network control center. The 
controller is connected to special modules in each modem in 
the network that monitor the performance of their associated 
modems, collect status data, and respond to commands from 
the central controller. The central-site operator diagnoses 
faults in the network and initiates corrective action. Some 
of these systems are also equipped with a network management 
capability that provides statistical and trend reporting on 
network operation. 
Such reporting is particularly important when: 
Central controllers change the polling configura- 
tion or in some way alter the manner in which 
terminals access the network, especially if: 
--The controller alters the time during which 
terminal(s) are granted access. 
--The controller alters rules that mediate the 
access of certain terminals or groups of terminals 
to the various processors, programs, or data 
accessed by the network. 
The central controller is used to establish both 
virtual and physical links between processor nodes 
in the network; that is, it establishes a circuit 
between one host processor and a terminal user of 
another host processor in the network. 


133. Modems and Automatic Redialing 

Use modems with automatic redialing capability to minimize 
downtime from line dropout. These modems should be avail- 
able ‘at the host processor only. Providing automatic 
redialing at a remote dial-up node might allow an interloper 
to cause a line dropout, followed by redialing of the host 
processor. Since the host would simply be reestablishing an 
existing connection, the safety feature of outdialing would 
not be used. 


134. Multispeed Modems 

Use modems with a multispeed capability (generally 300 to 
9,600 bits per second). Lower speeds can be used when line 
error rates are high or when a larger number of slower 
circuits is desired, such as for online data entry or ter- 
minal inquiry. Higher speeds can then be used when line 
error rates are low and higher-speed transmission is more 
efficient, such as for bulk data transfer. 
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135.  Packet-Switched Networks 

Use packet-switched networks for both security and relia- 
bility. These networks divide all messages into packets and 
route them over different communications paths. This 
technique provides a higher level of reliability and makes 
message interception significantly more difficult. 


136. Communications Hardware Backup 
Maintain hot spares for critical communications hardware: 
° Modems 
* Multiplexors 
* Cryptographic devices 
* Digital switches 
* Communications controllers 
° Terminals 
* Cluster controllers 


137. Digital Radio Backup 
In the event of total communication failure, patch slow- 
speed digital output through HF/VHF/UHF radio links. 


138. Communications Software Backup 

Maintain up-to-date backup copies of all communications 
software for use in the event of destruction or failure of 
the primary system. Storage should be on a secure off-site 
location. 


PROCEDURAL SECURITY CONTROLS 


139. Review Access and Transaction Authority 

Establish a program for the regular review of user access 
privilege and transaction authority. Ensure that the 
authorizations are still necessary for user function and are 
restricted to the smallest number of people consistent with 
operational effectiveness. 


140. Verification of Transaction Authorization 

Establish a control function to verify independently the 
authorization of transactions before giving transaction 
documents to terminal operators for data input by having a 
verification clerk check the signature or query the 
authorizer by phone. 


141. Input Format Aids 

Use such input format aids as menus and data input masks to 
speed data entry and reduce operator input error, especially 
for financial and other sensitive transactions. 


142. Output Report Identification 


Ensure that all reports (including microform) contain the 
following identification information: 
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Report date 

Report title 

User name 

Sensitivity level of report 

Disposal and control procedures (e.g., return to 
document control for destruction). 


143. Suspended-Item Reconciliation 

Ensure that all suspended transactions such as input errors 
are reconciled, either manually or through the program, at 
the end of each processing day or cycle. 


144.  Batch-Size Control 

Limit size of input batches (e.g., no more than 50 source 
documents) for maximum control and facilitated reconcilia- 
tion and batch verification. 


145.  Cross-Reference Field 

Use the source document number as part of the transaction 
number to provide a cross-reference and an audit trail to 
allow tracing transactions to the source document that 
created them. 


146. Correction Procedures 
Clearly define procedures to be used in correcting input 
errors, delineating: 
The types and classes of errors that occur 
Correction procedures for error processing 
* Authorization and verification procedures for 
generating a corrected transaction 
Logging procedures for corrected transactions 
Re-input/recycling procedures 
Balancing procedures for corrected output totals. 


147. Date/Time Stamping of Source Documents 

Date/time-stamp all source documents at the time of data 
entry to prevent multiple entries of the same transaction. 
Time-stamp all input transactions to avoid confusion with 
multiple transactions from the same source or those with 
Similar or repetitive information. 


148. Source-Data Capture 
Use source-data-capture techniques that minimize both the 
creation and manual processing of paper transactions and 
= for error. Methods to be considered include: 
Optical character recognition 
MICR coding 
Bar coding 
Terminal data capture at the point of origin. 
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149. Verification of Input Data 
Ensure that critical data is verified for accuracy before 
being released for processing. This verification should be 
done by an operator other than the one who made the initial 
input, and is generally accomplished by: 
Key verification of card-input data, using indepen- 
dent keying of data from a source document. 
Calling up a transaction for display on a CRT, 
using a transaction number or other unique identi- 
fier. The verification operator then rekeys the 
transaction (or certain sensitive data elements) 
from the source document to make sure that there is 
a macchi 


150. Transaction Identification 
Assign a unique transaction code to each transaction entered 
into the system. 


151. Run-to-Run Totals 

Use run-to-run totals for unit and aggregate reconciliation 
after each run to help prevent loss of or tampering with 
data between runs. Totals from each batch can be reconciled 
manually with the machine-generated total for the run. All 
out-of-balance conditions should be logged, and corrective 
action should be taken by supervisors. 


152. Central Control Group 

Establish a central control function responsible for all 
verification, error correction, re-input, and reconcilia- 
tion. This function should be independent of the data entry 
function: 


153.  Memo-Posting System 

Use memo posting for sensitive online data-capture opera- 
tions The transactions are entered online during the 
processing day and are batched in a transaction file. At 
intervals during the processing day, source documents (e.g., 
checks, invoices) are again input (using MICR, OCR, or the 
like). The two files are reconciled, and only the online 
transactions that match corresponding source documents are 
written to a live production data file. 


154. Front-End Editing of Input 
Use intelligent terminals for editing at the point of data 
capture. This reduces overhead on the mainframe and pro- 
vides an initial level of system control. Edits that might 
þe рер ещ at this level include: 
Testing limits to determine whether entered values 
exceed predefined nominals 
Consistency checking between input data fields 
Completeness checking to ascertain that all neces- 
Sary data for transaction processing has been input 
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Transaction-date comparison with system clock 

* Comparison between user ID/terminal ID and allowed 
transaction codes to ensure that the input is an 
authorized transaction. 


155. Restricted Inputed Points 

Develop both physical and programmed restrictions on termin- 
als that process critical transactions or capture critical 
data (see also Countermeasures 85, 111, and 116). 


156. Controlled Access to Critical Source Documents 
Restrict and control access to sensitive source documents 
(e.g., receiving reports, vouchers, checks). Gone 
sensitive documents with serially numbered forms. 


157. Physical Control of Output 
Ensure that all system output 15 properly controlled; 
controls should include the following: 

б“ Keep all human-readable output in a physically 
secured area. 

б“ Have users sign for all output received from the 
data center. 

* Produce only enough copies to meet operational 
needs. Periodically review user output report 
requirements to ensure that excess copies or 
unnecessary reports are not being created. 

* Reconcile actual output production with the output 
volume reported by the program (page-count 
routines). 

* Destroy carbon paper after running sensitive 
output. 

* Mark sensitive output appropriately. 

See also Countermeasure 31. 


158. Critical Hardware Backup 

Provide backup or redundant hardware for critical system 
components such as CPUs, disk drives, tape drives, printers, 
COM units, and CRTs. These should be regularly inspected, 
maintained, and tested. 


159. Critical Software Backup 
Maintain off-site backup copies of current critical system 
and application software, such as: 

* Operating systems 

* DBMSS 

* Security software 

" Application software. 


160. Software Modification Control 

All system or application software changes should be imple- 
mented and tested on a developmental or target disk pack. 
After certification, this pack should be given to operators 
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for loading of the production system. Changes should never 
be made directly to a production system, and programmers 
should never move the change from development to production. 
Emergency patches made at times other than those designated 
for change implementation must be properly documented and 
reviewed by the appropriate authority within 24 hours. No 
changes should be made without going through the established 
change control/configuration management cycle (see Counter- 
measure 72). 


SECURITY MANAGEMENT CONTROLS 


161. DP Security Committee 
Appoint a DP security committee to coordinate data and com- 
munications security requirements. This committee should be 
SEDES of: 

The chief operating officer 

The DP risk manager (see Countermeasure 163) 

The data security officer (see Countermeasure 164) 

The auditor 

The director of data processing 

* Representatives of major system users. 

This committee, which should have a written charter from the 
chief executive officer, should meet regularly. 


162. Data Security Manual 
Develop formal documentation of all DP and communications 
security procedures in the form of a data security manual, 
which ке ле contain: 
Statement of security policy 
Organizational security responsibilities 
Data-center physical security procedures 
Online and terminal security procedures 
Security and control considerations in software 
development and maintenance 
Security-incident reporting procedures 
Contingency and  continuity-of-operations plan, 
including disaster recovery and alternate-site 
processing. 


163. DP Risk Manager/DP Security Administrator 
Appoint a DP risk manager who, to maintain operational inde- 
pendence, reports to the individual within the organization 
who 1S responsible for overall risk management planning 
(e.g. corporate risk manager, controller). This person 
should ме responsible for: 
Development of overall DP and communications 
security policy and standards for the organization. 
Coordination of policy implementation with the DP 
organization and system users. 
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Conducting risk analyses of DP and communications 
operations and developing an overall program that 
integrates all aspects of risk management within 
the organization's automated environment, 
including: 
--Risk reduction and countermeasure implementation 
--Risk retention 
--Transfer of risk through insurance 
Develop contingency and continuity-of-operations 
plans to ensure the maintenance of essential DP and 
communications functions in the event of damage to 
or destruction of primary system resources. 

At the operational level, each major user area should 

appoint DP security administrator to be responsible for: 
Developing (under the guidance of the risk manager) 
specific security operating procedures to facili- 
tate security policy implementation within his or 
her area. 
Ensuring compliance with security policies and 
procedures within his or her area. 
Working with the risk manager to develop new 
policies and practices in response to changing 
systems and operational requirements. 


164. Data Security Officer 
In organizations where, size or other considerations make it 
infeasible to appoint a DP risk manager, a data security 
officer (DSO) should be appointed. - For reasons of opera- 
tional independence, the DSO should report outside the DP 
залар and should be responsible for: 
Developing DP and communications policy and proce- 
dures for all systems and users. 
Ensuring overall compliance with policies and 
procedures and assisting users in the resolution of 
security-related problems. 
Conducting risk analyses of existing and proposed 
systems and developing appropriate security and 
control postures for these systems. 
Reviewing all modifications to critical and/or 
sensitive systems to ensure that proper security 
and control has been maintained. 
Developing contingency and continuity-of-operations 
plans. 


кат кет, 26: pp. II-A-1 toy II-A-27. 
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APPENDIX J 


THREATS /ASSETS/CONTROLS MATRIX 


Threats Controls 

А.1 в, 9, 10, 25 зе лиза 397 1612c 

А.2 8, 9, 24, 25, 26, 27, 36, 39 ЛЕВ 

А.З 4, 5, 7, 8 9, 283, 36, 3% ЧЕ 2 

А. 4 4, 5, 7-10, 23, 36, 51, dil -64 

A.5 8, 9, 36, 39, 161-64 

A.6 8, 9, 36, 39, 161-64 

A.7 8, 9, 36, 39, 161-64 

B.9 8, 9, 35, 39, 161-64 

Beare 8, 9, 35, 161-64 

Сла 1, 2, 8, 9," 12 If a16, 28; co Е 
33, 35,36, 39 N57 52 

Са 8, 9, 161-64 

Ваш 1, 2, 8, 9, 12, 28, 32, 33, 35) so 
161-64 

А.1 6-8,. 15, 20, 21, 27, 36, 161-64 

A.2 6-8, 20, 25, 26, 27, 36, 161-64 

А.З 4, 5, 7, 29,6, 165 

A.4 4, 5, 7, 20, 245 2227) 161561 

A.7 6, 36, 161-64 

В.1 6, 36, 39, 161-64 

Qua 1, 2, 12, 18, 19, 28, a9, 32, EB 
25, 136; 3977755 554 

DUE 1, 2, 12, 28, 32954295, 35, 39) Е 

А.Т 6, 8, 11, 15, 2522, %6, 161-64 

А.2 6, 8, 11, 25, 26-27, 36, 161-64 

А.З 4, 5, 11, 36, 161-64 

A.4 4, 5, 11, 22, зей 1 64 

А.5 11, 3:6; 161564 

A.6 11, 36, 1637 54 

A.7 11, 36, 161-64 

Baal 6, 11, 36, 161-64 

Bee 11, 15, 36, 39, 161-64 

С.З 1, 2, 12, 18, I9, 28, 29, з2 ШЕЕ 
35, 36, 39, 161-64 

э! 1, 2, 12, 28,32, сы 

А.1 36, 161-64 

A.2 36, 161-64 
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APPENDIX K 
mourROLS APPLICABILITY BY SENSITIVITY/CRITICALNESS LEVEL 


Controls 


eS PX PX PS PS PS PS X PS р оа ра ра ра ра ра ра ра 


оа оа ра ра ра да ра 2 "S да ра Ж оа ра да ра ра ра ра ра 
оа ра ра ра ра ж оа а дара Ж да оа ра ра ра ра ра ра ра ра ра 
оа оа ра ра ра Ж ра ра ра ра р оа ра ра ра ра ра ра ра ра ра ра 
оа ра ра ра ра Ж ос ра ра ра ра ра Ж да ра ра ра ра ра ра ра ра ра ра 
ро ра ра ра ра > оа ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра 
>< 

"S eS ра ра ра ра д жж 

PW 24 оа ра ра ра га д ра ра ра 

оа ра ра ра ра ра ра ра ра > а ра ра 04 

оа ра ра ра ра ра ра ра ра PS д ра ра р 


Soe COE о о о оо о о б о о о о о о о о сб 


е е е 


cd cb ed ed QN OQ QN QN O 0 0 sf «1 10 00 10 10 P 0 0 


145 


Controls 


29.2 


28.3 


| 


2902 
207 


PS PS ра 


PS PS ра 


PS PS PS 


PS PS PX 


mS ж 
4 "S 
04 ра PS 
PS PS PS 
PS PS "S 
PS PS PS 
PS юе PS PS PS > 
PS P$ PS "S PS ж-е > 
оа ра ра 04 оа ра ра ра ра ра ра ра ра ра ра ра 
PS PS ра ра PA а оа ра PX PX ра ра ра ра ра PS pS PS 
PS PS PS ра о 04 ра ра ра ра ра 94 ра ра ра 24 
PS PS ра ра PS рс ра ра ра ра рс ра ра ра ра ра ра 
мо 
€) €» C» саса” ғ жи зююююююю 


"S 


PS 


PS ра PS P$ ра 


PS ра PS P$ ра 


PS ра ра ра ра ра ра ра ра ра 


04 ра ра ра ра ра ра ра ра ра 


PA PS PS ра 


оа ра ра ра 


PS P$ P$ ра 


PS ра ра ра 


PS P4 PS PS 


PS ра ра ра 


PS PS ра ра 


PS PS PS PS 


PS PS PS ра 


Ga. 
69: 
703 
TI 


146 


controls 


> > 

2S же 

S же 

S ж 

> ж 
ммм X PS ра ра PS ра ммм жж 
д хаж ж ” р ра ра ра ра ра ра ра ра ра ж 
д оа ра ра ра ра ра ра д с ра ра ра ра ра оа ра ра ра ра да ра ра ра ра ра PS ж 
рс ра ра ра ра ра ра ра ра “== PX PX P4 PX ра ра ра ра ра ра ра ра ра ра ра ра ра ра да ра ра ра ра ра ра Жж > 
да ра р ра ра р рӯ ра ра ра рӯ 04 ра ра ра ра рӯ ра ра ра ра ра ра ра ра да ра ра ра ра ра ра ра па PX ра ра ра ра ра ра ра ра ра ра ра 
94 PX P4 P4 PX P4 P4 ра ра ра ра ра ра 04 0с ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра ра па да ра ра ра ра ра ра ра ра ра ра ра 

аи DL M Базе онсе чю юг осло НЧ НО ТП ОСОСО 

чо чю огото ч со ч Юю 30 D-: 00 OY O à e Oo «xr (0 30 C- 00 0 O O O O O O O O O O wd nd d d dn d d de d dq 
ГУ ГУ ГУ ГУ ГУ 0 P C 00 00 00 со со 00 00 00 00 00 О/ ОУ ОУ ОУ ОУ ОУ ОУ ОУ ОУ Оу гі езі еі кісі ce e e e e c c e c c d d ісі ні ч 


147 


121. 


Controls 


PS PS S 


PG 04 а р 


ра Ра ре р4 


04 ра ра оа 


122 
E 
124 


T25: 
126. 
127. 
128. 
1299 


04 4 04 ра S DS < 


04 ра 04 ра ра ра P4 оа ра 


дада д Ж 


04 04 04 04 ра 04 ра 04 РӮ 


” 


S 


130. 
з 
132 
T33: 
134 
135 
1:365 
Зз. 
T3 


ж 


24 


e PSPS PS PS OS 


04 р 


0а ра ра 04 ра ра 


04 ра 04 ра ра ра ос ра оа ра ра ра ра оа PX ра ра 


ххх да »4 


P4 P4 94 94 94 P4 9S 94 P4 PX P4 д P4 94 оа 


04 04 04 ра ра ра ос рс оа ра ра ра рӯ ра ра ра ра ра оа 


гсочао топоюгосона 0 sr пюс 
C) əң sr <<” ӘУ Т УООЦО ЦОН 
ci c cei c c e cei e rn ce e ci ei ce e ce e e c 


158. 
T99; 


жж 04 


04 04 ра ра ра 


PS PS PG OG PS 


04 04 ра ра ра 


ре Ра ра ра ра 


SOS OS OS 94 


160 
161 
162. 
169 
164 


1-Е-6 со нш Ше 


20. T pp: 


Ref. 


SOURCE: 


148 


APPENDIX L 


SECURITY DATABASE CONTENTS 


Security policy information 

Security-related laws and regulations information 

Top management security needs and concerns information 
IS objectives and measures of performance information 
Identified and defined IS users information 

Users' security needs and concerns information 

IS components (tasks) information 

IS configuration information 

IS plans information 

Applications under development information 

Existing IS applications Usfosusticm 


IS security-related policy statements, standards, rules, 
procedures and guidelines information 


Results of audits and inspections information 
History of security violations and problems information 


Applications, data, and transactions classification 
information 


Threats inventory information 

Impact analysis information 
Vulnerability assessment information 
Logical design information 

Practical design information 


Testing information 
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Security configuration informacion 
Security budgetary and staff information 


Security staff procedures, standards, rules, and 
policies. 
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